runc container breakout through process.cwd trickery and leaked fds
Description
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/opencontainers/runcGo | >= 1.0.0-rc93, < 1.1.12 | 1.1.12 |
Affected products
313- osv-coords312 versionspkg:apk/chainguard/buildctlpkg:apk/chainguard/buildkitdpkg:apk/chainguard/cadvisorpkg:apk/chainguard/cadvisor-compatpkg:apk/chainguard/ctoppkg:apk/chainguard/datadog-agentpkg:apk/chainguard/datadog-agent-core-integrationspkg:apk/chainguard/datadog-agent-core-integrations-fipspkg:apk/chainguard/datadog-agent-fakeintakepkg:apk/chainguard/datadog-agent-fakeintake-fipspkg:apk/chainguard/datadog-agent-fipspkg:apk/chainguard/datadog-agent-jmxpkg:apk/chainguard/datadog-agent-jmx-fipspkg:apk/chainguard/datadog-agent-oci-compatpkg:apk/chainguard/datadog-agent-oci-compat-fipspkg:apk/chainguard/datadog-agent-s6-overlaypkg:apk/chainguard/datadog-agent-s6-overlay-fipspkg:apk/chainguard/datadog-cluster-agentpkg:apk/chainguard/datadog-cluster-agent-fipspkg:apk/chainguard/datadog-cluster-agent-oci-compatpkg:apk/chainguard/datadog-cluster-agent-oci-compat-fipspkg:apk/chainguard/dockerpkg:apk/chainguard/docker-config-mirror-gcrpkg:apk/chainguard/dockerdpkg:apk/chainguard/docker-dindpkg:apk/chainguard/docker-dind-compatpkg:apk/chainguard/dockerd-oci-entrypointpkg:apk/chainguard/dockerd-servicepkg:apk/chainguard/docker-initpkg:apk/chainguard/docker-modprobe-compatpkg:apk/chainguard/docker-oci-entrypointpkg:apk/chainguard/docker-rootlesspkg:apk/chainguard/dogstatsdpkg:apk/chainguard/grypepkg:apk/chainguard/ingress-nginx-controllerpkg:apk/chainguard/ingress-nginx-controller-compatpkg:apk/chainguard/ingress-nginx-controller-fipspkg:apk/chainguard/ingress-nginx-controller-fips-compatpkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/chainguard/k3spkg:apk/chainguard/k3s-embeddedpkg:apk/chainguard/k3s-imagespkg:apk/chainguard/k3s-multicallpkg:apk/chainguard/k3s-staticpkg:apk/chainguard/k9spkg:apk/chainguard/kanikopkg:apk/chainguard/kaniko-compatpkg:apk/chainguard/kaniko-warmerpkg:apk/chainguard/kaniko-warmer-compatpkg:apk/chainguard/kotspkg:apk/chainguard/kots-compatpkg:apk/chainguard/kots-symlink-compatpkg:apk/chainguard/kubeadm-1.28pkg:apk/chainguard/kubeadm-1.28-defaultpkg:apk/chainguard/kubeadm-1.29pkg:apk/chainguard/kubeadm-1.29-defaultpkg:apk/chainguard/kubeadm-fips-1.27pkg:apk/chainguard/kubeadm-fips-1.27-defaultpkg:apk/chainguard/kubeadm-fips-1.28pkg:apk/chainguard/kubeadm-fips-1.28-defaultpkg:apk/chainguard/kubeadm-fips-1.29pkg:apk/chainguard/kubeadm-fips-1.29-defaultpkg:apk/chainguard/kube-apiserver-1.28pkg:apk/chainguard/kube-apiserver-1.28-defaultpkg:apk/chainguard/kube-apiserver-1.29pkg:apk/chainguard/kube-apiserver-1.29-defaultpkg:apk/chainguard/kube-apiserver-fips-1.27pkg:apk/chainguard/kube-apiserver-fips-1.27-defaultpkg:apk/chainguard/kube-apiserver-fips-1.28pkg:apk/chainguard/kube-apiserver-fips-1.28-defaultpkg:apk/chainguard/kube-apiserver-fips-1.29pkg:apk/chainguard/kube-apiserver-fips-1.29-defaultpkg:apk/chainguard/kube-controller-manager-1.28pkg:apk/chainguard/kube-controller-manager-1.28-defaultpkg:apk/chainguard/kube-controller-manager-1.29pkg:apk/chainguard/kube-controller-manager-1.29-defaultpkg:apk/chainguard/kube-controller-manager-fips-1.27pkg:apk/chainguard/kube-controller-manager-fips-1.27-defaultpkg:apk/chainguard/kube-controller-manager-fips-1.28pkg:apk/chainguard/kube-controller-manager-fips-1.28-defaultpkg:apk/chainguard/kube-controller-manager-fips-1.29pkg:apk/chainguard/kube-controller-manager-fips-1.29-defaultpkg:apk/chainguard/kubectl-1.28pkg:apk/chainguard/kubectl-1.28-defaultpkg:apk/chainguard/kubectl-1.29pkg:apk/chainguard/kubectl-1.29-bitnami-compatpkg:apk/chainguard/kubectl-1.29-defaultpkg:apk/chainguard/kubectl-1.29-iamguarded-compatpkg:apk/chainguard/kubectl-bash-completion-1.28pkg:apk/chainguard/kubectl-bash-completion-1.29pkg:apk/chainguard/kubectl-bash-completion-fips-1.27pkg:apk/chainguard/kubectl-bash-completion-fips-1.28pkg:apk/chainguard/kubectl-bash-completion-fips-1.29pkg:apk/chainguard/kubectl-fips-1.27pkg:apk/chainguard/kubectl-fips-1.27-defaultpkg:apk/chainguard/kubectl-fips-1.28pkg:apk/chainguard/kubectl-fips-1.28-defaultpkg:apk/chainguard/kubectl-fips-1.29pkg:apk/chainguard/kubectl-fips-1.29-defaultpkg:apk/chainguard/kubelet-1.28pkg:apk/chainguard/kubelet-1.28-defaultpkg:apk/chainguard/kubelet-1.29pkg:apk/chainguard/kubelet-1.29-defaultpkg:apk/chainguard/kubelet-fips-1.27pkg:apk/chainguard/kubelet-fips-1.27-defaultpkg:apk/chainguard/kubelet-fips-1.28pkg:apk/chainguard/kubelet-fips-1.28-defaultpkg:apk/chainguard/kubelet-fips-1.29pkg:apk/chainguard/kubelet-fips-1.29-defaultpkg:apk/chainguard/kube-proxy-1.28pkg:apk/chainguard/kube-proxy-1.28-defaultpkg:apk/chainguard/kube-proxy-1.29pkg:apk/chainguard/kube-proxy-1.29-defaultpkg:apk/chainguard/kube-proxy-1.29-default-compatpkg:apk/chainguard/kube-proxy-fips-1.27pkg:apk/chainguard/kube-proxy-fips-1.27-defaultpkg:apk/chainguard/kube-proxy-fips-1.28pkg:apk/chainguard/kube-proxy-fips-1.28-defaultpkg:apk/chainguard/kube-proxy-fips-1.29pkg:apk/chainguard/kube-proxy-fips-1.29-defaultpkg:apk/chainguard/kubernetes-1.28pkg:apk/chainguard/kubernetes-1.28-defaultpkg:apk/chainguard/kubernetes-1.29pkg:apk/chainguard/kubernetes-1.29-defaultpkg:apk/chainguard/kubernetes-fips-1.27pkg:apk/chainguard/kubernetes-fips-1.27-defaultpkg:apk/chainguard/kubernetes-fips-1.28pkg:apk/chainguard/kubernetes-fips-1.28-defaultpkg:apk/chainguard/kubernetes-fips-1.29pkg:apk/chainguard/kubernetes-fips-1.29-defaultpkg:apk/chainguard/kubernetes-pause-1.29pkg:apk/chainguard/kubernetes-pause-compat-1.29pkg:apk/chainguard/kubernetes-pause-fips-3.9pkg:apk/chainguard/kubescapepkg:apk/chainguard/kube-scheduler-1.28pkg:apk/chainguard/kube-scheduler-1.28-defaultpkg:apk/chainguard/kube-scheduler-1.29pkg:apk/chainguard/kube-scheduler-1.29-defaultpkg:apk/chainguard/kube-scheduler-fips-1.27pkg:apk/chainguard/kube-scheduler-fips-1.27-defaultpkg:apk/chainguard/kube-scheduler-fips-1.28pkg:apk/chainguard/kube-scheduler-fips-1.28-defaultpkg:apk/chainguard/kube-scheduler-fips-1.29pkg:apk/chainguard/kube-scheduler-fips-1.29-defaultpkg:apk/chainguard/kube-webhook-certgenpkg:apk/chainguard/kube-webhook-certgen-fipspkg:apk/chainguard/nerdctlpkg:apk/chainguard/newrelic-infrastructure-agentpkg:apk/chainguard/newrelic-infrastructure-agent-1.43pkg:apk/chainguard/nvidia-device-pluginpkg:apk/chainguard/nvidia-device-plugin-fipspkg:apk/chainguard/podmanpkg:apk/chainguard/podman-docpkg:apk/chainguard/runcpkg:apk/chainguard/runc-docpkg:apk/chainguard/skaffoldpkg:apk/chainguard/skopeopkg:apk/chainguard/syftpkg:apk/chainguard/telegraf-1.26pkg:apk/chainguard/telegraf-1.27pkg:apk/chainguard/telegraf-1.28pkg:apk/chainguard/trivypkg:apk/chainguard/wolfictlpkg:apk/chainguard/zarfpkg:apk/chainguard/zotpkg:apk/wolfi/buildctlpkg:apk/wolfi/buildkitdpkg:apk/wolfi/cadvisorpkg:apk/wolfi/cadvisor-compatpkg:apk/wolfi/ctoppkg:apk/wolfi/datadog-agentpkg:apk/wolfi/datadog-agent-core-integrationspkg:apk/wolfi/datadog-agent-fakeintakepkg:apk/wolfi/datadog-agent-jmxpkg:apk/wolfi/datadog-agent-oci-compatpkg:apk/wolfi/datadog-agent-s6-overlaypkg:apk/wolfi/datadog-cluster-agentpkg:apk/wolfi/datadog-cluster-agent-oci-compatpkg:apk/wolfi/dockerpkg:apk/wolfi/docker-config-mirror-gcrpkg:apk/wolfi/dockerdpkg:apk/wolfi/docker-dindpkg:apk/wolfi/docker-dind-compatpkg:apk/wolfi/dockerd-oci-entrypointpkg:apk/wolfi/dockerd-servicepkg:apk/wolfi/docker-initpkg:apk/wolfi/docker-modprobe-compatpkg:apk/wolfi/docker-oci-entrypointpkg:apk/wolfi/docker-rootlesspkg:apk/wolfi/dogstatsdpkg:apk/wolfi/grypepkg:apk/wolfi/ingress-nginx-controllerpkg:apk/wolfi/ingress-nginx-controller-compatpkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:apk/wolfi/k3spkg:apk/wolfi/k3s-embeddedpkg:apk/wolfi/k3s-imagespkg:apk/wolfi/k3s-multicallpkg:apk/wolfi/k3s-staticpkg:apk/wolfi/k9spkg:apk/wolfi/kanikopkg:apk/wolfi/kaniko-compatpkg:apk/wolfi/kaniko-warmerpkg:apk/wolfi/kaniko-warmer-compatpkg:apk/wolfi/kotspkg:apk/wolfi/kots-compatpkg:apk/wolfi/kots-symlink-compatpkg:apk/wolfi/kubeadm-1.29pkg:apk/wolfi/kubeadm-1.29-defaultpkg:apk/wolfi/kube-apiserver-1.29pkg:apk/wolfi/kube-apiserver-1.29-defaultpkg:apk/wolfi/kube-controller-manager-1.29pkg:apk/wolfi/kube-controller-manager-1.29-defaultpkg:apk/wolfi/kubectl-1.29pkg:apk/wolfi/kubectl-1.29-defaultpkg:apk/wolfi/kubectl-bash-completion-1.29pkg:apk/wolfi/kubelet-1.29pkg:apk/wolfi/kubelet-1.29-defaultpkg:apk/wolfi/kube-proxy-1.29pkg:apk/wolfi/kube-proxy-1.29-defaultpkg:apk/wolfi/kubernetes-1.29pkg:apk/wolfi/kubernetes-1.29-defaultpkg:apk/wolfi/kubescapepkg:apk/wolfi/kube-scheduler-1.29pkg:apk/wolfi/kube-scheduler-1.29-defaultpkg:apk/wolfi/kube-webhook-certgenpkg:apk/wolfi/nerdctlpkg:apk/wolfi/newrelic-infrastructure-agentpkg:apk/wolfi/nvidia-device-pluginpkg:apk/wolfi/podmanpkg:apk/wolfi/podman-docpkg:apk/wolfi/runcpkg:apk/wolfi/runc-docpkg:apk/wolfi/skaffoldpkg:apk/wolfi/skopeopkg:apk/wolfi/syftpkg:apk/wolfi/telegraf-1.26pkg:apk/wolfi/telegraf-1.27pkg:apk/wolfi/telegraf-1.28pkg:apk/wolfi/trivypkg:apk/wolfi/wolfictlpkg:apk/wolfi/zarfpkg:apk/wolfi/zotpkg:golang/github.com/opencontainers/runcpkg:rpm/almalinux/aardvark-dnspkg:rpm/almalinux/buildahpkg:rpm/almalinux/buildah-testspkg:rpm/almalinux/cockpit-podmanpkg:rpm/almalinux/conmonpkg:rpm/almalinux/containernetworking-pluginspkg:rpm/almalinux/containers-commonpkg:rpm/almalinux/container-selinuxpkg:rpm/almalinux/critpkg:rpm/almalinux/criupkg:rpm/almalinux/criu-develpkg:rpm/almalinux/criu-libspkg:rpm/almalinux/crunpkg:rpm/almalinux/fuse-overlayfspkg:rpm/almalinux/libslirppkg:rpm/almalinux/libslirp-develpkg:rpm/almalinux/netavarkpkg:rpm/almalinux/oci-seccomp-bpf-hookpkg:rpm/almalinux/podmanpkg:rpm/almalinux/podman-catatonitpkg:rpm/almalinux/podman-dockerpkg:rpm/almalinux/podman-gvproxypkg:rpm/almalinux/podman-pluginspkg:rpm/almalinux/podman-remotepkg:rpm/almalinux/podman-testspkg:rpm/almalinux/python3-criupkg:rpm/almalinux/python3-podmanpkg:rpm/almalinux/runcpkg:rpm/almalinux/skopeopkg:rpm/almalinux/skopeo-testspkg:rpm/almalinux/slirp4netnspkg:rpm/almalinux/toolboxpkg:rpm/almalinux/toolbox-testspkg:rpm/almalinux/udicapkg:rpm/opensuse/crun&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/crun&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/runc&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/runc&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/runc&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/opensuse/runc&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/singularity-ce&distro=openSUSE%20Tumbleweedpkg:rpm/suse/crun&distro=SUSE%20Package%20Hub%2015%20SP6pkg:rpm/suse/runc&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP5pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4
< 0.12.5-r1+ 311 more
- (no CPE)range: < 0.12.5-r1
- (no CPE)range: < 0.12.5-r1
- (no CPE)range: < 0.48.1-r4
- (no CPE)range: < 0.48.1-r4
- (no CPE)range: < 0.7.7-r13
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 0.74.4-r1
- (no CPE)range: < 1.9.6-r1
- (no CPE)range: < 1.9.6-r1
- (no CPE)range: < 1.9.5-r1
- (no CPE)range: < 1.9.5-r1
- (no CPE)range: < 5.6.0-r6
- (no CPE)range: < 5.6.0-r6
- (no CPE)range: < 5.6.0-r6
- (no CPE)range: < 1.29.0-r1
- (no CPE)range: < 1.29.0-r1
- (no CPE)range: < 1.29.0-r1
- (no CPE)range: < 1.29.0-r1
- (no CPE)range: < 1.29.0-r1
- (no CPE)range: < 0.31.8-r0
- (no CPE)range: < 1.20.1-r0
- (no CPE)range: < 1.20.1-r0
- (no CPE)range: < 1.20.1-r0
- (no CPE)range: < 1.20.1-r0
- (no CPE)range: < 1.107.0-r1
- (no CPE)range: < 1.107.0-r1
- (no CPE)range: < 1.107.0-r1
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 3.0.3-r7
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.28.9-r0
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.9.6-r1
- (no CPE)range: < 1.9.5-r1
- (no CPE)range: < 1.7.3-r0
- (no CPE)range: < 1.48.4-r1
- (no CPE)range: < 1.43.2-r3
- (no CPE)range: < 0.14.4-r0
- (no CPE)range: < 0.14.3-r2
- (no CPE)range: < 5.2.2-r1
- (no CPE)range: < 5.2.2-r1
- (no CPE)range: < 1.1.12-r0
- (no CPE)range: < 1.1.12-r0
- (no CPE)range: < 2.11.0-r0
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 0.104.0-r0
- (no CPE)range: < 1.26.3-r10
- (no CPE)range: < 1.27.4-r10
- (no CPE)range: < 1.28.5-r2
- (no CPE)range: < 0.49.0-r0
- (no CPE)range: < 0.14.13-r0
- (no CPE)range: < 0.32.3-r0
- (no CPE)range: < 2.0.1-r2
- (no CPE)range: < 0.12.5-r1
- (no CPE)range: < 0.12.5-r1
- (no CPE)range: < 0.48.1-r4
- (no CPE)range: < 0.48.1-r4
- (no CPE)range: < 0.7.7-r13
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 25.0.2-r0
- (no CPE)range: < 7.50.3-r1
- (no CPE)range: < 0.74.4-r1
- (no CPE)range: < 1.9.6-r1
- (no CPE)range: < 1.9.6-r1
- (no CPE)range: < 5.6.0-r6
- (no CPE)range: < 5.6.0-r6
- (no CPE)range: < 5.6.0-r6
- (no CPE)range: < 1.29.0-r1
- (no CPE)range: < 1.29.0-r1
- (no CPE)range: < 1.29.0-r1
- (no CPE)range: < 1.29.0-r1
- (no CPE)range: < 1.29.0-r1
- (no CPE)range: < 0.31.8-r0
- (no CPE)range: < 1.20.1-r0
- (no CPE)range: < 1.20.1-r0
- (no CPE)range: < 1.20.1-r0
- (no CPE)range: < 1.20.1-r0
- (no CPE)range: < 1.107.0-r1
- (no CPE)range: < 1.107.0-r1
- (no CPE)range: < 1.107.0-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 3.0.3-r7
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.29.3-r1
- (no CPE)range: < 1.9.6-r1
- (no CPE)range: < 1.7.3-r0
- (no CPE)range: < 1.48.4-r1
- (no CPE)range: < 0.14.4-r0
- (no CPE)range: < 5.2.2-r1
- (no CPE)range: < 5.2.2-r1
- (no CPE)range: < 1.1.12-r0
- (no CPE)range: < 1.1.12-r0
- (no CPE)range: < 2.11.0-r0
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 0.104.0-r0
- (no CPE)range: < 1.26.3-r10
- (no CPE)range: < 1.27.4-r10
- (no CPE)range: < 1.28.5-r2
- (no CPE)range: < 0.49.0-r0
- (no CPE)range: < 0.14.13-r0
- (no CPE)range: < 0.32.3-r0
- (no CPE)range: < 2.0.1-r2
- (no CPE)range: >= 1.0.0-rc93, < 1.1.12
- (no CPE)range: < 2:1.0.1-38.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 1:1.24.6-7.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 1:1.24.6-7.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 46-1.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 2:2.1.4-2.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 1:1.1.1-6.module_el8.9.0+3711+04fcca5e
- (no CPE)range: < 2:1-38.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 2:2.205.0-3.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 3.15-3.module_el8.6.0+3137+d33c3efb
- (no CPE)range: < 3.15-3.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 3.15-3.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 3.15-3.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 1.8.7-1.module_el8.9.0+3683+33eb0feb
- (no CPE)range: < 1.9-2.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 4.4.0-1.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 4.4.0-1.module_el8.6.0+3137+d33c3efb
- (no CPE)range: < 2:1.0.1-38.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 1.2.5-2.module_el8.8.0+3468+16b86c82
- (no CPE)range: < 2:4.0.2-26.module_el8.9.0+3722+7fd8ab2b.alma.1
- (no CPE)range: < 2:4.0.2-26.module_el8.9.0+3722+7fd8ab2b.alma.1
- (no CPE)range: < 2:4.0.2-26.module_el8.9.0+3722+7fd8ab2b.alma.1
- (no CPE)range: < 2:4.0.2-26.module_el8.9.0+3722+7fd8ab2b.alma.1
- (no CPE)range: < 2:4.0.2-26.module_el8.9.0+3722+7fd8ab2b.alma.1
- (no CPE)range: < 2:4.0.2-26.module_el8.9.0+3722+7fd8ab2b.alma.1
- (no CPE)range: < 2:4.0.2-26.module_el8.9.0+3722+7fd8ab2b.alma.1
- (no CPE)range: < 3.15-3.module_el8.6.0+3137+d33c3efb
- (no CPE)range: < 4.0.0-2.module_el8.9.0+3711+04fcca5e
- (no CPE)range: < 4:1.1.12-1.el9_3
- (no CPE)range: < 2:1.6.2-9.module_el8.9.0+3687+dcd7ef8f.alma.1
- (no CPE)range: < 2:1.6.2-9.module_el8.9.0+3687+dcd7ef8f.alma.1
- (no CPE)range: < 1.1.8-3.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 0.0.99.4-5.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 0.0.99.4-5.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 0.2.6-4.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 1.20-bp156.2.3.1
- (no CPE)range: < 1.14.4-1.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.12-1.1
- (no CPE)range: < 4.1.3-1.1
- (no CPE)range: < 1.20-bp156.2.3.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-16.43.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- (no CPE)range: < 1.1.11-150000.58.1
- opencontainers/runcv5Range: >=v1.0.0-rc93, < 1.1.12
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-xr7r-f8xq-vfvvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21626ghsaADVISORY
- packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.htmlghsaWEB
- www.openwall.com/lists/oss-security/2024/02/01/1ghsaWEB
- www.openwall.com/lists/oss-security/2024/02/02/3ghsaWEB
- github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecfghsax_refsource_MISCWEB
- github.com/opencontainers/runc/releases/tag/v1.1.12ghsax_refsource_MISCWEB
- github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvvghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2024/02/msg00005.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2JghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTLghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/mitre
News mentions
2- ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New StoriesThe Hacker News · Jun 4, 2026
- Containers on fire: from container escapes to supply chain attacksSecurelist · Jun 1, 2026