Which versions are affected by CVE-2024-21626?

Affected: runc < 1.1.12. Fixed in: runc 1.1.12+.

highCVSS 8.6/10·Published: 2024-01-31·runc (Docker, Kubernetes, containerd)

How to fix CVE-2024-21626 – Step-by-Step Guide

CVE-2024-21626 (runc Container Escape – Leaky Vessels) is a HIGH severity vulnerability with a CVSS score of 8.6/10. A file descriptor leak in runc allows attackers to escape container isolation and gain root access to the host system. Affects Docker, Kubernetes, and other runc-based container runtimes. Follow the step-by-step guide below to remediate this vulnerability in your infrastructure.

CVE ID

CVE-2024-21626

Severity

HIGH

CVSS Score

8.6/10

Affected

runc (Docker, Kubernetes, containerd)

What is runc Container Escape – Leaky Vessels?

runc Container Escape – Leaky Vessels (CVE-2024-21626) affects runc (Docker, Kubernetes, containerd). A file descriptor leak in runc allows attackers to escape container isolation and gain root access to the host system. Affects Docker, Kubernetes, and other runc-based container runtimes. It was published on 2024-01-31 and affects runc < 1.1.12. The fixed version is runc 1.1.12+.

Affected Versions

runc < 1.1.12

Fixed In

runc 1.1.12+

Official References

Impact and Risks for your Infrastructure

Container escape to host root. Any container with access to /proc/self/fd can exploit the file descriptor leak to escape isolation and compromise the host.

runcdockerkubernetescontainer-escapehigh2024

Step-by-Step Mitigation Guide

To remediate CVE-2024-21626, follow the prioritized mitigation steps: Update runc to 1.1.12 or later. → Update Docker to 25.0.2+ / 24.0.9+ and containerd to 1.7.13+ / 1.6.27+. → Run containers as non-root with --user and --cap-drop=ALL. → Enable Seccomp and AppArmor/SELinux profiles for containers. → Restrict /proc access with read-only mounts where possible. → Run containers in rootless mode (Podman, rootless Docker) for defense-in-depth.. Verify the fix using the verification commands below and confirm the patched version is deployed across all affected systems.

1Update runc to 1.1.12 or later.
2Update Docker to 25.0.2+ / 24.0.9+ and containerd to 1.7.13+ / 1.6.27+.
3Run containers as non-root with --user and --cap-drop=ALL.
4Enable Seccomp and AppArmor/SELinux profiles for containers.
5Restrict /proc access with read-only mounts where possible.
6Run containers in rootless mode (Podman, rootless Docker) for defense-in-depth.

Frequently Asked Questions

What is the CVSS score for CVE-2024-21626?▼

CVE-2024-21626 has a CVSS score of 8.6/10 (high severity). This reflects a significant security risk that should be addressed promptly.

Which versions of runc (Docker, Kubernetes, containerd) are affected?▼

Affected: runc < 1.1.12. The vulnerability was fixed in: runc 1.1.12+.

How long does it take to fix CVE-2024-21626?▼

For most teams: 15–60 minutes to apply the patch, plus 15 minutes of post-patch verification. Complex multi-service environments may require 2–4 hours including staging validation.

Is CVE-2024-21626 being actively exploited?▼

Check the NVD entry and CISA KEV catalog for exploitation status. As a high-severity vulnerability, treat it as a priority remediation regardless of known exploitation status.

Run Security Check →Browse Runbooks →← All CVE Solutions

This CVE fix guide is based on publicly available security advisories (NVD, vendor bulletins). Always test changes in a staging environment before applying to production. Verify against the official vendor advisory for the most up-to-date guidance.