CVE-2024-21626

Published Jan 31, 2024

Last updated a year ago

CVSS high 8.6
Docker
Container Security

Overview

Description
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
Source
security-advisories@github.com
NVD status
Modified
Products
runc, fedora

Risk scores

CVSS 3.1

Type
Primary
Base score
8.6
Impact score
6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-403
nvd@nist.gov
CWE-668

Social media

Hype score
Not currently trending

  1. CVE-2024-21626 runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker ... https://t.co/noJR8k56ZX https://t.co/e5nlZwyQvm

    @CVEradars

    2 Apr 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2024-21626: runc Container Breakout Vulnerability | Bug-Bounty notes https://t.co/DUsuxW5t8a

    @akaclandestine

    15 Mar 2026

    1351 Impressions

    3 Retweets

    9 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  3. New HackTheBox walkthrough: Giveback WordPress RCE → Kubernetes pivoting with Ligolo-ng → PHP-CGI exploitation → runc CVE-2024-21626 container escape to root. Advanced cloud-native pentesting chain. https://t.co/HeG3CoDqRp #HackTheBox #Kubernetes #ContainerEscape

    @Strikoder

    28 Feb 2026

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Spent last week patching a client's network after they ignored CVE-2024-21626 for 3 months. Exploit was in active use for 6 weeks before detection. Patch Tuesday isn't optional, it's your only reliable defense layer. https://t.co/E8QXXKOR3M

    @W1ld3W0rk5

    13 Jan 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2024-21626 proves container escapes are real. With osquery + eBPF, detect them in real time—no custom code, just smart SQL + kernel events. Start detecting today 👉 https://t.co/eFMbNN4jp2 #eBPF #Osquery #ContainerSecurity

    @uptycs

    21 May 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. CVE-2025-14269
  2. Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Prior to version 1.1.25, Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry's WWW-Authenticate header without validating the scheme, hostname, or IP range. A malicious OCI registry can set the realm to an internal URL (e.g., http://127.0.0.1:3000/), causing Model Runner running on the host to make arbitrary GET requests to internal services and reflect the full response body back to the caller. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the Authorization: Bearer header. This issue has been patched in version 1.1.25. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.CVE-2026-33990
  3. A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location.CVE-2026-35093
  4. A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor.CVE-2026-35094
  5. Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1.CVE-2026-33997

References

Sources include official advisories and independent security research.