container-escape
Safeguard articles tagged "container-escape" — guides, analysis, and best practices for software supply chain and application security.
14 articles
Container escape techniques and defense in depth
CVE-2024-21626 let a leaked file descriptor turn runc exec into host root. Here's how container escapes actually work — and the layers that stop them.
Container Escape Vulnerabilities: How They Work and How to Stop Them
A container is a process with boundaries, not a virtual machine. When those boundaries fail, an attacker lands on the host. Here is the anatomy of real container escapes — runc, Leaky Vessels, Dirty Pipe — and how to defend against them.
Container escape attacks: how they happen and how to prev...
Container escapes rarely need a zero-day — privileged flags, mounted sockets, and excess capabilities do the job. Here's how they happen, real CVEs, and how to stop them.
Container escape
A container escape lets attackers break out of a container into the host or other workloads. Learn how these attacks work, real CVEs, and Kubernetes risk.
Linux cgroups release_agent container escape (CVE-2022-0492)
CVE-2022-0492 lets containers with CAP_SYS_ADMIN escape via cgroup v1's release_agent. Impact, timeline, and concrete remediation steps inside.
containerd-shim abstract Unix socket container escape (CVE-2020-15257)
CVE-2020-15257 let containers sharing a host network namespace abuse containerd-shim's abstract socket API. Here's the impact, fix, and remediation path.
Kubernetes kubelet symlink volume mount escape (CVE-2021-25741)
CVE-2021-25741 lets attackers escape subPath volume mounts in Kubernetes kubelet via a symlink race, exposing host files and enabling privilege escalation.
runc Container Breakout via /proc/self/exe Overwrite (CVE...
CVE-2019-5736 let a malicious container overwrite the host runc binary, escaping isolation to gain root on the Docker or Kubernetes host.
containerd-shim Abstract Unix Socket Exposure Enabling Co...
CVE-2020-15257 lets processes in host-networked containers reach the containerd-shim socket and escape to the host. Impact, affected versions, and fixes explained.
CRI-O 'cr8escape' Sysctl Injection Container Escape (CVE-...
CVE-2022-0811 (cr8escape) is a CRI-O flaw where an unvalidated sysctl injection let attackers escape containers and gain root on Kubernetes hosts.
BuildKit Privileged Entitlement Check Bypass Enabling Hos...
CVE-2024-23653 lets malicious Dockerfiles bypass BuildKit's privileged entitlement check via the interactive containers API, escaping to the host.
CVE-2025-9074 in Docker Desktop: Patch Posture & SBOM Response
Docker Desktop container-to-host escape scored CVSS 9.3. Affected Windows and macOS developer fleets need a fast patch rollout. Defender playbook below.