What is the CVSS score of CVE-2019-5736?

CVE-2019-5736 has a CVSS 3.1 base score of 8.6 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 59.2%.

Which versions of Docker are affected by CVE-2019-5736?

Organizations using Docker face significant risk from CVE-2019-5736, a OS command injection vulnerability rated CVSS 8.6.. A patch is available.

Is there a public PoC exploit available for CVE-2019-5736?

Yes, a public proof-of-concept exploit is available for CVE-2019-5736. Prioritise patching immediately. EPSS: 59.2%.

How to fix or mitigate CVE-2019-5736?

Within 24 hours: Identify all affected systems running Docker and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Docker CVE-2019-5736

HIGH

OS Command Injection (CWE-78)

2019-02-11 cve@mitre.org

Docker

8.6

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.6 HIGH

AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 11:19 vuln.today

PoC Detected

Nov 21, 2024 - 04:45 vuln.today

Public exploit code

Patch released

Nov 21, 2024 - 04:45 nvd

Patch available

CVE Published

Feb 11, 2019 - 19:29 nvd

HIGH 8.6

DescriptionCVE.org

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

AnalysisAI

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attackers to overwrite the host runc binary. By exploiting a race condition during container exec, a malicious container process can gain root access to the host system, breaking the fundamental container isolation boundary.

Technical ContextAI

During 'docker exec' or similar container exec operations, the host runc binary is exposed to the container's filesystem through /proc/self/exe. A malicious container process can exploit a TOCTOU race condition to overwrite the host runc binary with a trojanized version. The next time runc is invoked (for any container operation), the attacker's code executes with root privileges on the host.

Affected ProductsAI

runc <= 1.0-rc6 Docker < 18.09.2 containerd (using vulnerable runc) Kubernetes (using vulnerable runc) LXC (using vulnerable runc)

RemediationAI

Update runc to 1.0-rc7 or later, Docker to 18.09.2+. Patch container runtime on all hosts. Implement user namespace remapping to reduce container root privileges. Use read-only container images. Deploy runtime security monitoring (Falco, Sysdig) to detect container escape attempts.