CVE-2024-21626
Published: 31 January 2024
Summary
CVE-2024-21626 is a high-severity File Descriptor Leak (CWE-403) vulnerability in Linuxfoundation Runc. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. CVE-2024-21626 is an internal file descriptor leak present in runc 1.1.11 and earlier that allows a newly spawned container process to receive a working directory residing in the host filesystem namespace. The flaw is tracked under CWE-403 and CWE-668 and carries a CVSS 3.1 score of 8.6.
An attacker able to execute “runc exec” inside an already running container can leverage the leaked descriptor to obtain direct access to the host filesystem, achieving a container escape. The same mechanism can be triggered by a malicious container image at “runc run” time, and variants of the attack permit overwriting semi-arbitrary host binaries for full host compromise.
The runc 1.1.12 release contains patches that close the descriptor leak. Corresponding commits and distribution advisories recommend upgrading immediately and rebuilding or restarting affected containers after the update.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.0745, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0459
Vulnerability details
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec)…
more
to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Controls whether organization resources are exposed to external system spheres by permitting or prohibiting their use.
The control ensures information is not released into a security sphere where the recipient lacks matching access authorizations.
The control ensures information resources are not exposed to the incorrect (public) sphere through review and authorization.
Protects against data mining that would expose resources to unauthorized spheres by enforcing detection and controls.
Restricts information flows to ensure resources are not exposed to incorrect or unauthorized spheres.
Controlling internal connections prevents exposure of resources to unintended internal spheres.
Knowing exact processing and storage locations helps avoid exposure of resources to incorrect spheres.
The control prevents exposure of the media resource to the wrong security sphere.