Runc
CVE-2021-43784
MEDIUM
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionNVD
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the C portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.
AnalysisAI
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Integer Overflow (CWE-190), which allows attackers to cause unexpected behavior through arithmetic overflow. runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the C portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug. Affected products include: Linuxfoundation Runc, Debian Debian Linux. Version information: prior to 1.0.3.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate arithmetic operations, use safe integer libraries, check bounds before allocation.
Alpine Linux: runc fixed in 1.1.12-r0
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 8.4
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass beca
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linu
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated medium severity (CVSS 6
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. Rated high severity (CVSS 8.5), t
libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a po
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.8
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. Rated high severity
Moby is an open-source project created by Docker to enable and accelerate software containerization. Rated medium severi
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today