runc container breakout through process.cwd trickery and leaked fds
Summary
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. Affected products named by the advisory: OCP-Tools-4.15-RHEL-8; Red Hat Enterprise Linux 7 Extras; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 8.2 Advanced Update Support; and 22 more. Affected products named by the advisory: Red Hat Enterprise Linux 8.2 Telecommunications Update Service; Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions; Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support; Red Hat Enterprise Linux 8.4 Telecommunications Update Service; and 16 more.
What this means
In plain English
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1").
Recommended action
The parsed official advisory does not currently specify a fixed release, mitigation, or workaround. Review the linked vendor advisory for the latest guidance before making changes.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
- runc >=v1.0.0-rc93, < 1.1.12
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Fixed versions
No fixed release is recorded yet. That does not prove no patch exists — confirm against the vendor advisory.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation
The source record does not include mitigation steps. That is not a statement that no fix exists — read the vendor advisory below for the authoritative guidance.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.