Container breakout using runc file descriptors


Detect exploitation of CVE-2024-21626 which abuses leaky file descriptors in runc.


This exploit is accomplished by building or running a container image where the WORKDIR is /proc/self/fd/<int>. Successful exploitation results in read and write access to the host filesystem and potentially a complete container escape.

This detection alerts on runc processes calling chdir with the value /sys/fs/cgroup which is the root behavior of this exploit.

Triage and response

  1. Isolate the host to prevent further compromise.
  2. Use Docker or Kubernetes audit logs to determine how the exploit occurred. An adversary could have built or run a malicious container image in several ways, such as external access to the Docker API or social engineering.
  3. Review related signals to determine the impact of the compromise and develop a timeline.
  4. Redeploy the host with a runc version of 1.1.12 or later.

Requires Agent version 7.51 or later.