Vulnerability in Opencontainers Runc
CVE-2024-21626
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc e…
EPSS: 0.051 (90.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.6 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.
Affected products
- Opencontainers Runc — versions >=v1.0.0-rc93, < 1.1.12
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv (x_refsource_CONFIRM)
- https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf (x_refsource_MISC)
- https://github.com/opencontainers/runc/releases/tag/v1.1.12 (x_refsource_MISC)
- www.openwall.com/lists/oss-security/2024/02/01/1
- www.openwall.com/lists/oss-security/2024/02/02/3
- packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege…
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
- lists.debian.org/debian-lts-announce/2024/02/msg00005.html
Frequently asked questions
- What is CVE-2024-21626?
- CVE-2024-21626 is a high-severity vulnerability in Opencontainers Runc, classified under Exposure of File Descriptor to Unintended Control Sphere (File Descriptor Leak). CVSS score: 8.6/10. Published 2024-01-31.
- How severe is CVE-2024-21626?
- High severity. CVSS v3 base score is 8.6 out of 10.
- Is CVE-2024-21626 known to be exploited?
- 69 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.