Safeguard
Tag

container-escape

Safeguard articles tagged "container-escape" — guides, analysis, and best practices for software supply chain and application security.

14 articles

Container Security

Container escape techniques and defense in depth

CVE-2024-21626 let a leaked file descriptor turn runc exec into host root. Here's how container escapes actually work — and the layers that stop them.

Jul 15, 20266 min read
Container Security

Container Escape Vulnerabilities: How They Work and How to Stop Them

A container is a process with boundaries, not a virtual machine. When those boundaries fail, an attacker lands on the host. Here is the anatomy of real container escapes — runc, Leaky Vessels, Dirty Pipe — and how to defend against them.

Jul 5, 20265 min read
Container Security

Container escape attacks: how they happen and how to prev...

Container escapes rarely need a zero-day — privileged flags, mounted sockets, and excess capabilities do the job. Here's how they happen, real CVEs, and how to stop them.

Apr 26, 20269 min read
Container Security

Container escape

A container escape lets attackers break out of a container into the host or other workloads. Learn how these attacks work, real CVEs, and Kubernetes risk.

Feb 22, 20267 min read
Vulnerability Analysis

Linux cgroups release_agent container escape (CVE-2022-0492)

CVE-2022-0492 lets containers with CAP_SYS_ADMIN escape via cgroup v1's release_agent. Impact, timeline, and concrete remediation steps inside.

Jan 9, 20267 min read
Vulnerability Analysis

containerd-shim abstract Unix socket container escape (CVE-2020-15257)

CVE-2020-15257 let containers sharing a host network namespace abuse containerd-shim's abstract socket API. Here's the impact, fix, and remediation path.

Jan 9, 20267 min read
Vulnerability Analysis

Kubernetes kubelet symlink volume mount escape (CVE-2021-25741)

CVE-2021-25741 lets attackers escape subPath volume mounts in Kubernetes kubelet via a symlink race, exposing host files and enabling privilege escalation.

Jan 8, 20267 min read
Vulnerability Analysis

runc Container Breakout via /proc/self/exe Overwrite (CVE...

CVE-2019-5736 let a malicious container overwrite the host runc binary, escaping isolation to gain root on the Docker or Kubernetes host.

Nov 21, 20257 min read
Vulnerability Analysis

containerd-shim Abstract Unix Socket Exposure Enabling Co...

CVE-2020-15257 lets processes in host-networked containers reach the containerd-shim socket and escape to the host. Impact, affected versions, and fixes explained.

Nov 21, 20258 min read
Vulnerability Analysis

CRI-O 'cr8escape' Sysctl Injection Container Escape (CVE-...

CVE-2022-0811 (cr8escape) is a CRI-O flaw where an unvalidated sysctl injection let attackers escape containers and gain root on Kubernetes hosts.

Nov 21, 20257 min read
Vulnerability Analysis

BuildKit Privileged Entitlement Check Bypass Enabling Hos...

CVE-2024-23653 lets malicious Dockerfiles bypass BuildKit's privileged entitlement check via the interactive containers API, escaping to the host.

Nov 20, 20258 min read
Vulnerability Response

CVE-2025-9074 in Docker Desktop: Patch Posture & SBOM Response

Docker Desktop container-to-host escape scored CVSS 9.3. Affected Windows and macOS developer fleets need a fast patch rollout. Defender playbook below.

Aug 21, 20256 min read
container-escape — Safeguard Blog