runc
Safeguard articles tagged "runc" — guides, analysis, and best practices for software supply chain and application security.
17 articles
Container escape techniques and defense in depth
CVE-2024-21626 let a leaked file descriptor turn runc exec into host root. Here's how container escapes actually work — and the layers that stop them.
Container-handling security fundamentals: immutability, signing, and privilege drops
Two runc CVEs, five years apart, both turned root-in-container into root-on-host — proof that container isolation needs backup, not blind trust.
Container security: five best practices for provenance, runtime, and network
A single runc bug (CVE-2024-21626) enabled full container escapes in early 2024 — proof that provenance and network defaults matter as much as image scanning.
CTF Writeup: Container SETUID Escape Techniques
A container-local root shell is not the flag. CVE-2019-5736 and CVE-2021-4034 both show how a SETUID binary inside a container can become a host compromise.
Container Escape Vulnerabilities: How They Work and How to Stop Them
A container is a process with boundaries, not a virtual machine. When those boundaries fail, an attacker lands on the host. Here is the anatomy of real container escapes — runc, Leaky Vessels, Dirty Pipe — and how to defend against them.
Top Docker security vulnerabilities to watch
Runc escapes, exposed Docker APIs, malicious registry images: the Docker vulnerabilities actually driving incidents in 2024-2025, and how to triage what's exploitable.
Container isolation with namespaces, cgroups, and seccomp
Namespaces, cgroups, and seccomp each isolate a different layer of a container — and a single misconfigured one, like CVE-2024-21626 showed, breaks all three.
Container escape vulnerabilities explained
Container escape vulnerabilities let attackers break out of isolation and reach the host kernel. Here's how CVE-2024-21626 and CVE-2019-5736 actually work.
Container escape
A container escape lets attackers break out of a container into the host or other workloads. Learn how these attacks work, real CVEs, and Kubernetes risk.
Container Breakout Class Vulnerabilities 2024-2025
A look at the container breakout vulnerabilities disclosed in 2024 and 2025, what they actually required to exploit, and what that pattern tells us about the defense model.
Container Runtime Showdown: runc vs crun vs gVisor in 2026
A practical comparison of runc, crun, and gVisor across performance, isolation, and operational fit, with concrete guidance on when each runtime earns its place in production.
Leaky Vessels: The runc Container Escape Class (2024)
Leaky Vessels bundled four CVEs that let container processes escape into the host. Two years later the class is still mispatched and misunderstood.