runc container escape explained: Critical container vulnerabilities & host takeover risk

sysdig logo
Sysdig
Dec 18, 2025
Sysdig

Containers are supposed to be isolated — but what happens when that isolation breaks?

In this video, we explain critical container escape vulnerabilities in runc, the default container runtime used by Docker and Kubernetes, and why they represent a serious container security risk.

Recent disclosures known as the “Leaky Vessels” vulnerabilities show how a compromised container can escape its sandbox, access the host filesystem, and potentially take over the node.

Vulnerabilities covered:

CVE-2024-21626 (runc)
A leaked file descriptor allows a container’s working directory to point to a host namespace path, breaking container isolation and enabling host filesystem access.

CVE-2024-23651 / 23652 / 23653 (BuildKit)
Build-time flaws such as symlink race conditions and improper mount validation that can allow containers to write to or delete host files.

Why this matters for container security:

  • Container escape enables privilege escalation
  • A single compromised container can impact entire Kubernetes nodes
  • Multi-tenant clusters face massive blast radius
  • runc and BuildKit are foundational tools, making these vulnerabilities widely exploitable

How to reduce container escape risk today:

  • Patch runc ≥ 1.1.12 and BuildKit ≥ 0.12.5 immediately
  • Use trusted container images and audited Dockerfiles
  • Avoid privileged containers and unnecessary mounts
  • Monitor runtime behavior for unexpected host file access
  • Detect suspicious activity like symlink creation over sensitive paths

Runtime visibility is your last line of defense. If you can’t see what containers are doing, you can’t stop a breakout.

If you’re running containers in Kubernetes, this isn’t optional security knowledge — it’s mandatory.

Read more on our blog:
https://www.sysdig.com/blog/runc-container-escape-vulnerabilities

Chapters:

00:00 Intro

00:28 What are runc container escape vulnerabilities?

00:55 What are some of the biggest "Leaky Vessels" CVEs?

01:41 Why do "Leaky Vessels" matter for developers?

02:06 How to protect yourself from "Leaky Vessels"

03:29 Outro

#containerescape #containervulnerabilities #vulnerabilitymanagement #containersecurity #kubernetessecurity #docker #dockercontainer #leakyvessels #cloudnative

Copyright © 2026 OpsMatters™. All rights reserved.