Listen to this Post
How CVE-2024-21626 works:
CVE-2024-21626 is a runc container escape vulnerability affecting runc versions prior to 1.1.12. The flaw resides in the handling of file descriptors (FDs) during container process execution. When a container is started with a maliciously crafted configuration, an attacker can leak a file descriptor referencing the host’s runc binary. By exploiting the “workdir” or “exec” paths, the container process gains access to a file descriptor that points to a directory on the host. This allows the container to chdir into that host directory. Once inside, any subsequent operation—such as writing binaries or reading sensitive files—operates directly on the host filesystem. The attack requires that the container runs as root (UID 0) on the host for full impact, because root inside the container maps to root on the host. If the container uses a non‑root user, the escape is severely limited because the host sees the container’s UID and cannot perform privileged actions. The CVE was discovered and patched in January 2024. The primary mitigation is upgrading runc to 1.1.12 or later. Additional defences include running containers with non‑root users (USER directive) and restricting capabilities.
dailycve form:
Platform: ciguard container image
Version: v0.8.2
Vulnerability: runs as root
Severity: Low
date: 2026-04-26
Prediction: 2026-04-27
What Undercode Say:
Scan image for root user misconfiguration trivy image --misconfig --severity HIGH ghcr.io/jo-jo98/ciguard:v0.8.2 Verify non-root user after patch docker run --rm ghcr.io/jo-jo98/ciguard:v0.8.2 id Check for runc escape CVE in runtime runc --version Upgrade if below 1.1.12 sudo apt update && sudo apt install runc=1.1.12
How Exploit:
No direct exploit without container-runtime CVE. If a future runc escape similar to CVE-2024-21626 exists, an attacker inside the root‑run container could: 1) Leak host file descriptor via /proc/self/fd; 2) chdir into host filesystem; 3) Write a reverse shell binary to host /root/.ssh or /etc/cron.d; 4) Execute as root on host.
Protection from this CVE:
1) Add `USER ciguard` in Dockerfile after user creation.
2) Use `RUN groupadd -r ciguard && useradd -r -g ciguard …`
3) Run `docker run –user 999` as override.
4) Upgrade runc to ≥1.1.12 to mitigate escape primitives.
5) Enable seccomp and AppArmor profiles.
6) Scan with Trivy (DS‑0002) or Checkov.
Impact:
Without patch: Any future container‑runtime escape (e.g., new runc CVE) would land as root on host, granting full system compromise. With patch: Escape lands as unprivileged ciguard user (UID 999), severely limiting damage to low‑impact read/write within that user’s permissions. Defence‑in‑depth improved.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
