runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HApache Mesos
APPApache1.4.0 – 1.4.3 (bez)1.7.0 – 1.7.2 (bez)1.6.0 – 1.6.2 (bez)1.5.0 – 1.5.3 (bez)Canonical Ubuntu
OSCanonical16.0418.0418.1019.04D2iq Dc\/os
OSD2Iq1.10.11 – 1.11.9 (bez)< 1.10.101.11.10 – 1.12.1 (bez)D2iq Kubernetes Engine
APPD2Iq< 2.2.0-1.13.3Docker
APPDocker< 18.09.2Fedora Project Fedora
OSFedoraproject2930Google Kubernetes Engine
APPGooglewszystkie wersjeHP Onesphere
APPHpwszystkie wersjeLinuxcontainers Lxc
APPLinuxcontainers< 3.2.0Linuxfoundation Runc
APPLinuxfoundation1.0.0≤ 0.1.1Microfocus Service Management Automation
APPMicrofocus2018.022018.052018.082018.11Netapp Hci Management Node
APPNetappwszystkie wersjeNetapp Solidfire
APPNetappwszystkie wersjeOpensuse Backports Sle
APPOpensuse15.0Opensuse Leap
OSOpensuse15.015.142.3Red Hat Container Development Kit
APPRedhat3.7Red Hat Enterprise Linux
OSRedhat8.0Red Hat Enterprise Linux Server
OSRedhat7.0Red Hat Openshift
APPRedhat3.43.53.63.7
Related vulnerabilities
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit
Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML
Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)
Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox