Search for packages
| purl | pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5%2Bdeb11u2 |
| Next non-vulnerable version | 1.0.3+ds1-1 |
| Latest non-vulnerable version | 1.1.15+ds1-2 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6j4q-p114-aaae
Aliases: CVE-2023-28642 GHSA-g2j6-57v7-gm8c |
runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-78xd-zy32-aaas
Aliases: CVE-2023-25809 GHSA-m8cg-xc2p-r3fc |
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-h2d7-ph2u-aaah
Aliases: CVE-2024-21626 GHSA-xr7r-f8xq-vfvv |
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-sxre-t5g1-aaaj
Aliases: CVE-2023-27561 GHSA-vpvm-3wq2-2wvm |
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-us2v-fh9z-aaaa
Aliases: CVE-2021-43784 GHSA-v95c-p5hm-xq8f |
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-f21p-csu2-aaar | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file. |
CVE-2022-29162
GHSA-f3fp-gc8g-vw66 |
| VCID-us2v-fh9z-aaaa | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug. |
CVE-2021-43784
GHSA-v95c-p5hm-xq8f |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-06-22T07:24:57.611568+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T09:04:30.277859+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | None | 36.1.3 |
| 2025-06-21T07:24:34.991054+00:00 | Debian Importer | Affected by | VCID-h2d7-ph2u-aaah | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T06:05:39.796633+00:00 | Debian Importer | Affected by | VCID-sxre-t5g1-aaaj | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T05:27:24.203335+00:00 | Debian Importer | Affected by | VCID-sxre-t5g1-aaaj | None | 36.1.3 |
| 2025-06-21T05:16:16.412236+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T04:51:46.453079+00:00 | Debian Oval Importer | Fixing | VCID-f21p-csu2-aaar | None | 36.1.3 |
| 2025-06-20T22:55:32.222430+00:00 | Debian Importer | Fixing | VCID-f21p-csu2-aaar | None | 36.1.3 |
| 2025-06-20T22:28:13.822934+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | None | 36.1.3 |
| 2025-06-20T20:55:32.420484+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-20T19:43:50.019071+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | None | 36.1.3 |
| 2025-06-07T22:28:59.846278+00:00 | Debian Oval Importer | Fixing | VCID-f21p-csu2-aaar | None | 36.1.0 |
| 2025-06-05T14:39:02.976453+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | https://security-tracker.debian.org/tracker/data/json | 36.1.0 |
| 2025-06-05T13:52:05.823577+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | None | 36.1.0 |
| 2025-04-13T01:58:05.206196+00:00 | Debian Oval Importer | Affected by | VCID-sxre-t5g1-aaaj | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-13T01:56:29.637772+00:00 | Debian Oval Importer | Affected by | VCID-us2v-fh9z-aaaa | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-13T01:56:09.084852+00:00 | Debian Oval Importer | Affected by | VCID-6j4q-p114-aaae | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-13T01:55:03.493256+00:00 | Debian Oval Importer | Affected by | VCID-78xd-zy32-aaas | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T22:55:37.122546+00:00 | Debian Oval Importer | Affected by | VCID-h2d7-ph2u-aaah | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T21:35:14.365353+00:00 | Debian Oval Importer | Fixing | VCID-f21p-csu2-aaar | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-07T21:00:35.621758+00:00 | Debian Oval Importer | Fixing | VCID-f21p-csu2-aaar | None | 36.0.0 |
| 2025-04-07T03:34:41.751396+00:00 | Debian Importer | Fixing | VCID-us2v-fh9z-aaaa | None | 36.0.0 |
| 2025-04-06T01:03:26.661265+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-05T06:20:47.841644+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | None | 36.0.0 |
| 2025-04-05T04:40:56.565011+00:00 | Debian Importer | Affected by | VCID-h2d7-ph2u-aaah | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-05T03:20:19.004426+00:00 | Debian Importer | Affected by | VCID-sxre-t5g1-aaaj | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-05T02:41:52.429912+00:00 | Debian Importer | Affected by | VCID-sxre-t5g1-aaaj | None | 36.0.0 |
| 2025-04-05T02:30:26.436829+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-04T01:34:38.431552+00:00 | Debian Importer | Fixing | VCID-f21p-csu2-aaar | None | 36.0.0 |
| 2025-04-04T01:06:58.495065+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | None | 36.0.0 |
| 2025-04-03T23:37:27.142470+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-03T22:50:38.442540+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | None | 36.0.0 |
| 2025-02-21T18:29:09.802832+00:00 | Debian Importer | Affected by | VCID-h2d7-ph2u-aaah | https://security-tracker.debian.org/tracker/data/json | 35.1.0 |
| 2025-02-21T10:34:11.799849+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | https://security-tracker.debian.org/tracker/data/json | 35.1.0 |
| 2025-02-21T10:34:07.696551+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | None | 35.1.0 |
| 2025-02-21T10:23:46.590890+00:00 | Debian Importer | Affected by | VCID-sxre-t5g1-aaaj | https://security-tracker.debian.org/tracker/data/json | 35.1.0 |
| 2025-02-21T10:23:45.175353+00:00 | Debian Importer | Affected by | VCID-sxre-t5g1-aaaj | None | 35.1.0 |
| 2025-02-21T10:03:13.402240+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | https://security-tracker.debian.org/tracker/data/json | 35.1.0 |
| 2025-02-21T10:03:09.214472+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | None | 35.1.0 |
| 2025-02-20T20:28:46.734200+00:00 | Debian Importer | Fixing | VCID-f21p-csu2-aaar | None | 35.1.0 |
| 2025-02-20T07:31:06.096419+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | https://security-tracker.debian.org/tracker/data/json | 35.1.0 |
| 2025-02-20T07:30:59.945488+00:00 | Debian Importer | Fixing | VCID-us2v-fh9z-aaaa | None | 35.1.0 |
| 2025-02-20T07:30:59.215288+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | None | 35.1.0 |
| 2024-11-24T00:09:00.006902+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | https://security-tracker.debian.org/tracker/data/json | 35.0.0 |
| 2024-11-24T00:08:55.898909+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | None | 35.0.0 |
| 2024-11-23T23:43:35.760825+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | https://security-tracker.debian.org/tracker/data/json | 35.0.0 |
| 2024-11-23T23:43:31.492130+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | None | 35.0.0 |
| 2024-11-23T13:02:48.183438+00:00 | Debian Importer | Fixing | VCID-f21p-csu2-aaar | None | 35.0.0 |
| 2024-11-23T01:14:53.675142+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | https://security-tracker.debian.org/tracker/data/json | 35.0.0 |
| 2024-11-23T01:14:47.270232+00:00 | Debian Importer | Fixing | VCID-us2v-fh9z-aaaa | None | 35.0.0 |
| 2024-11-23T01:14:46.572210+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | None | 35.0.0 |
| 2024-10-10T21:46:55.925680+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | https://security-tracker.debian.org/tracker/data/json | 34.0.2 |
| 2024-10-10T21:46:51.757042+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | None | 34.0.2 |
| 2024-10-10T21:19:12.809694+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | https://security-tracker.debian.org/tracker/data/json | 34.0.2 |
| 2024-10-10T21:19:08.431028+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | None | 34.0.2 |
| 2024-10-10T10:51:14.015722+00:00 | Debian Importer | Fixing | VCID-f21p-csu2-aaar | None | 34.0.2 |
| 2024-10-09T23:35:22.759987+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | https://security-tracker.debian.org/tracker/data/json | 34.0.2 |
| 2024-10-09T23:35:16.271455+00:00 | Debian Importer | Fixing | VCID-us2v-fh9z-aaaa | None | 34.0.2 |
| 2024-10-09T23:35:15.538688+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | None | 34.0.2 |
| 2024-09-20T02:41:53.344562+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | https://security-tracker.debian.org/tracker/data/json | 34.0.1 |
| 2024-09-20T02:41:49.344010+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | None | 34.0.1 |
| 2024-09-20T02:19:47.522531+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | https://security-tracker.debian.org/tracker/data/json | 34.0.1 |
| 2024-09-20T02:19:43.409886+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | None | 34.0.1 |
| 2024-09-19T17:28:44.819345+00:00 | Debian Importer | Fixing | VCID-f21p-csu2-aaar | None | 34.0.1 |
| 2024-09-19T07:21:43.453707+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | https://security-tracker.debian.org/tracker/data/json | 34.0.1 |
| 2024-09-19T07:21:37.302210+00:00 | Debian Importer | Fixing | VCID-us2v-fh9z-aaaa | None | 34.0.1 |
| 2024-09-19T07:21:36.578018+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | None | 34.0.1 |
| 2024-04-26T02:41:30.269903+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-04-26T02:41:25.330620+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | None | 34.0.0rc4 |
| 2024-04-26T02:30:32.917704+00:00 | Debian Importer | Affected by | VCID-sxre-t5g1-aaaj | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-04-26T02:30:31.193799+00:00 | Debian Importer | Affected by | VCID-sxre-t5g1-aaaj | None | 34.0.0rc4 |
| 2024-04-26T02:13:57.105936+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-04-26T02:13:52.624882+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | None | 34.0.0rc4 |
| 2024-04-25T14:21:36.539459+00:00 | Debian Importer | Fixing | VCID-f21p-csu2-aaar | None | 34.0.0rc4 |
| 2024-04-25T05:42:38.338842+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-04-25T05:42:30.245941+00:00 | Debian Importer | Fixing | VCID-us2v-fh9z-aaaa | None | 34.0.0rc4 |
| 2024-04-25T05:42:29.411654+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | None | 34.0.0rc4 |
| 2024-01-12T12:44:14.556221+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T12:44:09.058068+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | None | 34.0.0rc2 |
| 2024-01-12T12:32:32.431826+00:00 | Debian Importer | Affected by | VCID-sxre-t5g1-aaaj | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T12:32:14.587770+00:00 | Debian Importer | Affected by | VCID-sxre-t5g1-aaaj | None | 34.0.0rc2 |
| 2024-01-12T12:11:50.787450+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T12:11:45.477824+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | None | 34.0.0rc2 |
| 2024-01-11T16:01:20.086209+00:00 | Debian Importer | Fixing | VCID-f21p-csu2-aaar | None | 34.0.0rc2 |
| 2024-01-11T07:25:04.191608+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-11T07:24:52.599894+00:00 | Debian Importer | Fixing | VCID-us2v-fh9z-aaaa | None | 34.0.0rc2 |
| 2024-01-11T07:24:51.695565+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | None | 34.0.0rc2 |
| 2024-01-05T08:27:49.243527+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T08:27:44.525411+00:00 | Debian Importer | Affected by | VCID-6j4q-p114-aaae | None | 34.0.0rc1 |
| 2024-01-05T08:21:16.770813+00:00 | Debian Importer | Affected by | VCID-sxre-t5g1-aaaj | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T08:21:11.747447+00:00 | Debian Importer | Affected by | VCID-sxre-t5g1-aaaj | None | 34.0.0rc1 |
| 2024-01-05T08:12:03.340140+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T08:11:59.264422+00:00 | Debian Importer | Affected by | VCID-78xd-zy32-aaas | None | 34.0.0rc1 |
| 2024-01-05T01:23:51.501539+00:00 | Debian Importer | Fixing | VCID-f21p-csu2-aaar | None | 34.0.0rc1 |
| 2024-01-04T18:12:08.987063+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-04T18:12:00.657524+00:00 | Debian Importer | Fixing | VCID-us2v-fh9z-aaaa | None | 34.0.0rc1 |
| 2024-01-04T18:11:59.819310+00:00 | Debian Importer | Affected by | VCID-us2v-fh9z-aaaa | None | 34.0.0rc1 |