What is CVE-2024-21626?

A file descriptor leak in runc allows attackers to escape container isolation and gain root access to the host system. Affects Docker, Kubernetes, and other runc-based container runtimes.

How do I fix CVE-2024-21626?

Update runc to 1.1.12 or later. Update Docker to 25.0.2+ / 24.0.9+ and containerd to 1.7.13+ / 1.6.27+. Run containers as non-root with --user and --cap-drop=ALL. Enable Seccomp and AppArmor/SELinux profiles for containers. Restrict /proc access with read-only mounts where possible. Run containers in rootless mode (Podman, rootless Docker) for defense-in-depth.

Which versions are affected by CVE-2024-21626?

Affected: runc < 1.1.12. Fixed in: runc 1.1.12+.

highCVSS 8.6/10·Published: 2024-01-31·runc (Docker, Kubernetes, containerd)

How to fix CVE-2024-21626 – Step-by-Step Guide

CVE-2024-21626, known as 'Leaky Vessels,' is a high-severity container escape vulnerability affecting runc and popular container runtimes like Docker and Kubernetes. This critical flaw allows an attacker to break out of container isolation. Immediate patching is essential to secure your containerized environments.

CVE ID

CVE-2024-21626

Severity

HIGH

CVSS Score

8.6/10

Affected

runc (Docker, Kubernetes, containerd)

What is runc Container Escape – Leaky Vessels?

CVE-2024-21626 is a runc vulnerability stemming from a file descriptor leak. An attacker within a container can exploit this leak by accessing /proc/self/fd, gaining unauthorized access to host file descriptors. This enables them to bypass container isolation and execute arbitrary code with root privileges on the underlying host system.

Affected Versions

runc < 1.1.12

Fixed In

runc 1.1.12+

Official References

Impact and Risks for your Infrastructure

The primary impact of CVE-2024-21626 is a complete container escape, granting an attacker root access to the host system. This can lead to full compromise of the host, data exfiltration, service disruption, and lateral movement across your infrastructure. Unpatched systems face severe security risks.

runcdockerkubernetescontainer-escapehigh2024

Step-by-Step Mitigation Guide

To mitigate CVE-2024-21626, update runc to version 1.1.12 or later immediately. For Docker, Kubernetes, or containerd users, ensure your container runtime packages are updated to versions incorporating the fixed runc. Verify the fix by checking your runc version and confirming successful updates across all affected hosts.

1Update runc to 1.1.12 or later.
2Update Docker to 25.0.2+ / 24.0.9+ and containerd to 1.7.13+ / 1.6.27+.
3Run containers as non-root with --user and --cap-drop=ALL.
4Enable Seccomp and AppArmor/SELinux profiles for containers.
5Restrict /proc access with read-only mounts where possible.
6Run containers in rootless mode (Podman, rootless Docker) for defense-in-depth.

Frequently Asked Questions

What is the CVSS score for CVE-2024-21626?▼

CVE-2024-21626 has a CVSS score of 8.6/10 (high severity). This reflects a significant security risk that should be addressed promptly.

Which versions of runc (Docker, Kubernetes, containerd) are affected?▼

Affected: runc < 1.1.12. The vulnerability was fixed in: runc 1.1.12+.

How long does it take to fix CVE-2024-21626?▼

For most teams: 15–60 minutes to apply the patch, plus 15 minutes of post-patch verification. Complex multi-service environments may require 2–4 hours including staging validation.

Is CVE-2024-21626 being actively exploited?▼

Check the NVD entry and CISA KEV catalog for exploitation status. As a high-severity vulnerability, treat it as a priority remediation regardless of known exploitation status.

Run Security Check →Browse Runbooks →← All CVE Solutions

This CVE fix guide is based on publicly available security advisories (NVD, vendor bulletins). Always test changes in a staging environment before applying to production. Verify against the official vendor advisory for the most up-to-date guidance.