VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 12, 2020· Updated Aug 5, 2024

CVE-2019-19921

CVE-2019-19921

Description

runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

runc through 1.0.0-rc9 has an access control flaw enabling privilege escalation via symlink following during /proc mount, exploitable with two containers sharing volumes.

Root cause: In runc, the mount(2) system call blindly follows symlinks. This allows a malicious container to trick runc into mounting /proc to an attacker-controlled location via a rename-exchange attack [4]. The bug resides in libcontainer/rootfs_linux.go [2].

Exploitation: An attacker must be able to spawn two containers with custom volume-mount configurations and run custom images [2]. By sharing a volume between containers, the attacker can exploit a race condition where one container manipulates a symlink to redirect the /proc mount to a non-directory, potentially leading to privilege escalation [4].

Impact: Successful exploitation can lead to information leak and integrity manipulation [3]. The vulnerability allows an attacker to escalate privileges within the container environment.

Mitigation: The issue is fixed in runc versions after 1.0.0-rc9 [4]. Red Hat released an advisory (RHSA-2020:0688) for OpenShift Container Platform 4.2.22 [3]. Note that Docker is not affected due to an implementation detail that blocks the attack [2].

References
  1. NVD - CVE-2019-19921
  2. https://access.redhat.com/errata/RHSA-2020:0688
  3. rootfs: do not permit /proc mounts to non-directories by cyphar · Pull Request #2207 · opencontainers/runc

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/opencontainers/runcGo
< 1.0.0-rc9.0.20200122160610-2fc03cc11c771.0.0-rc9.0.20200122160610-2fc03cc11c77

Affected products

49

Patches

1
2fc03cc11c77

Merge pull request #2207 from cyphar/fix-double-volume-attack

https://github.com/opencontainers/runcMrunal PatelJan 22, 2020via ghsa
commit
1 file changed · +12 0
  • libcontainer/rootfs_linux.go+12 0 modified
    @@ -299,6 +299,18 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
 
 	switch m.Device {
 	case "proc", "sysfs":
+		// If the destination already exists and is not a directory, we bail
+		// out This is to avoid mounting through a symlink or similar -- which
+		// has been a "fun" attack scenario in the past.
+		// TODO: This won't be necessary once we switch to libpathrs and we can
+		//       stop all of these symlink-exchange attacks.
+		if fi, err := os.Lstat(dest); err != nil {
+			if !os.IsNotExist(err) {
+				return err
+			}
+		} else if fi.Mode()&os.ModeDir == 0 {
+			return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
+		}
 		if err := os.MkdirAll(dest, 0755); err != nil {
 			return err
 		}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

26

News mentions

0

No linked articles in our index yet.