---
title: Container breakout using runc file descriptors
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Container breakout using runc file
  descriptors
---

# Container breakout using runc file descriptors
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1611-escape-to-host](https://attack.mitre.org/techniques/T1611) 
## What happened{% #what-happened %}

A container executed with a working directory set to `/proc/self/fd/*`, indicating exploitation of the container escape vulnerability `CVE-2024-21626`.

## Goal{% #goal %}

Detect exploitation of [CVE-2024-21626](https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv) which abuses leaky file descriptors in `runc`.

## Strategy{% #strategy %}

This exploit is accomplished by building or running a container image where the working directory is set to `/proc/self/fd/<int>`. In Docker this is specified using the `WORKDIR` field. In Kubernetes the field is `workingDir`. Successful exploitation results in read and write access to the host filesystem and potentially a complete container escape.

## Triage and response{% #triage-and-response %}

1. Isolate the host to prevent further compromise.
1. Use tags to determine the affected container and image.
1. Use Docker or Kubernetes audit logs to determine how the exploit occurred. An adversary could have built or run a malicious container image in several ways, such as abusing external access to the Docker API or manipulating a base image.
1. Review related signals to determine the impact of the compromise and develop a timeline.
1. Redeploy the host with a `runc` version of 1.1.12 or later.

*Requires Agent version 7.55 or later.*