Safeguard
Tag

runc

Safeguard articles tagged "runc" — guides, analysis, and best practices for software supply chain and application security.

17 articles

Container Security

Container escape techniques and defense in depth

CVE-2024-21626 let a leaked file descriptor turn runc exec into host root. Here's how container escapes actually work — and the layers that stop them.

Jul 15, 20266 min read
Container Security

Container-handling security fundamentals: immutability, signing, and privilege drops

Two runc CVEs, five years apart, both turned root-in-container into root-on-host — proof that container isolation needs backup, not blind trust.

Jul 11, 20267 min read
Container Security

Container security: five best practices for provenance, runtime, and network

A single runc bug (CVE-2024-21626) enabled full container escapes in early 2024 — proof that provenance and network defaults matter as much as image scanning.

Jul 11, 20266 min read
Container Security

CTF Writeup: Container SETUID Escape Techniques

A container-local root shell is not the flag. CVE-2019-5736 and CVE-2021-4034 both show how a SETUID binary inside a container can become a host compromise.

Jul 8, 20266 min read
Container Security

Container Escape Vulnerabilities: How They Work and How to Stop Them

A container is a process with boundaries, not a virtual machine. When those boundaries fail, an attacker lands on the host. Here is the anatomy of real container escapes — runc, Leaky Vessels, Dirty Pipe — and how to defend against them.

Jul 5, 20265 min read
Container Security

Top Docker security vulnerabilities to watch

Runc escapes, exposed Docker APIs, malicious registry images: the Docker vulnerabilities actually driving incidents in 2024-2025, and how to triage what's exploitable.

Jun 28, 20267 min read
Container Security

Container isolation with namespaces, cgroups, and seccomp

Namespaces, cgroups, and seccomp each isolate a different layer of a container — and a single misconfigured one, like CVE-2024-21626 showed, breaks all three.

Jun 27, 20266 min read
Container Security

Container escape vulnerabilities explained

Container escape vulnerabilities let attackers break out of isolation and reach the host kernel. Here's how CVE-2024-21626 and CVE-2019-5736 actually work.

Jun 22, 20267 min read
Container Security

Container escape

A container escape lets attackers break out of a container into the host or other workloads. Learn how these attacks work, real CVEs, and Kubernetes risk.

Feb 22, 20267 min read
Container Security

Container Breakout Class Vulnerabilities 2024-2025

A look at the container breakout vulnerabilities disclosed in 2024 and 2025, what they actually required to exploit, and what that pattern tells us about the defense model.

Feb 11, 20267 min read
Container Security

Container Runtime Showdown: runc vs crun vs gVisor in 2026

A practical comparison of runc, crun, and gVisor across performance, isolation, and operational fit, with concrete guidance on when each runtime earns its place in production.

Feb 4, 20265 min read
Emerging Technology

Leaky Vessels: The runc Container Escape Class (2024)

Leaky Vessels bundled four CVEs that let container processes escape into the host. Two years later the class is still mispatched and misunderstood.

Feb 4, 20267 min read
runc — Safeguard Blog