Cyber Resilience

CVE-2024-21626

HighPublic PoC

Published: 31 January 2024

Published
31 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0471 89.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21626 is a high-severity File Descriptor Leak (CWE-403) vulnerability in Linuxfoundation Runc. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. CVE-2024-21626 is an internal file descriptor leak present in runc 1.1.11 and earlier that allows a newly spawned container process to receive a working directory residing in the host filesystem namespace. The flaw is tracked under CWE-403 and CWE-668 and carries a CVSS 3.1 score of 8.6.

An attacker able to execute “runc exec” inside an already running container can leverage the leaked descriptor to obtain direct access to the host filesystem, achieving a container escape. The same mechanism can be triggered by a malicious container image at “runc run” time, and variants of the attack permit overwriting semi-arbitrary host binaries for full host compromise.

The runc 1.1.12 release contains patches that close the descriptor leak. Corresponding commits and distribution advisories recommend upgrading immediately and rebuilding or restarting affected containers after the update.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0745, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec)…

more

to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

linuxfoundation
runc
≤ 1.1.12
fedoraproject
fedora
39

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-668

Controls whether organization resources are exposed to external system spheres by permitting or prohibiting their use.

addresses: CWE-668

The control ensures information is not released into a security sphere where the recipient lacks matching access authorizations.

addresses: CWE-668

The control ensures information resources are not exposed to the incorrect (public) sphere through review and authorization.

addresses: CWE-668

Protects against data mining that would expose resources to unauthorized spheres by enforcing detection and controls.

addresses: CWE-668

Restricts information flows to ensure resources are not exposed to incorrect or unauthorized spheres.

addresses: CWE-668

Controlling internal connections prevents exposure of resources to unintended internal spheres.

addresses: CWE-668

Knowing exact processing and storage locations helps avoid exposure of resources to incorrect spheres.

addresses: CWE-668

The control prevents exposure of the media resource to the wrong security sphere.

References