[Security] CVE-2024-21626 (Leaky Vessels)


We are aware of a new vulnerability CVE-2024-21626 (nicknamed Leaky Vessels) [1]. Vulnerable software includes Docker, Buildkit, containerd, runc. Nectar Services like Container Orchestration Engine (Magnum) are impacted.


A malicious image may be able to break out of its container to the host VM. This can be triggered by running a malicious image, or building a malicious image.


As there are a number of attacks and related CVEs (CVE-2024-23652, CVE-2024-23651, and CVE-2024-23653), information here may not be complete depending on your situation. Please evaluate the vulnerability in your environment. There are several links at the end of this article that may be helpful.

In general, you can limit the impact with the following

- Only build images from trust sources

- Only run trusted images

snyk.io has scanned popular images and had no evidence of this being exploited in the wild yet[2]. However, this may change.


Please update your software to the following versions

runc - 1.1.12

containerd - 1.16.28 or 1.17.13

docker - 24.0.9 or 25.0.1


Update 22/02/2024:

There are instructions on updating containerd for Magnum at https://support.ehelp.edu.au/a/solutions/articles/6000270733?portalId=6000043010


1: Orginal announcement - https://snyk.io/blog/cve-2024-21626-runc-process-cwd-container-breakout/

2. https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/

3. Docker advisory - https://www.docker.com/blog/docker-security-advisory-multiple-vulnerabilities-in-runc-buildkit-and-moby/

4. runc advisory - https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv

Login or Signup to post a comment