<= 1.4.12
1.5.0 - 1.5.9
1.6.0
|> Technical Advisory: containerd - Insecure handling of image volumes
| | [CVE-2021-41103](https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq) | Insufficiently restricted permissions on container root and plugin directories |<1.4.11
<1.5.7
| [Github advisories: GHSA-c2h3-6mxw-7mvq](https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq) | | [CVE-2021-32760](https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w) | Archive package allows chmod of file outside of unpack target directory |<=1.4.7
<=1.5.3
| [Github advisories: GHSA-c72p-9xmj-rx3w](https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w) | | [CVE-2021-21334](https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4) | containerd CRI plugin: environment variables can leak between containers |<=1.3.9
<= 1.4.3
| [Github advisories: GHSA-6g2q-w5j3-fwh4](https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4) | | [CVE-2020-15257](https://research.nccgroup.com/2020/11/30/technical-advisory-containerd-containerd-shim-api-exposed-to-host-network-containers-cve-2020-15257/) | containerd-shim API Exposed to Host Network Containers |<=1.3.7
1.4.0
1.4.1
| [Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)](https://research.nccgroup.com/2020/11/30/technical-advisory-containerd-containerd-shim-api-exposed-to-host-network-containers-cve-2020-15257/) | | [CVE-2020-15157](https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c) | containerd v1.2.x can be coerced into leaking credentials during image pull | < 1.3.0 |> Github advisories: GHSA-742w-89gc-8m9c
> CVE-2020-15157 "ContainerDrip" Write-up
| ## CRI-O | CVE | Title | Affected versions | References | | --------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [CVE-2022-0811](https://github.com/cri-o/cri-o/security/advisories/GHSA-6x2m-w449-qwx7) | Rights to deploy a pod on a Kubernetes cluster leads to abusing the `kernel.core_pattern` parameter | `>1.19.0` | [cr8escape: New Vulnerability in CRI-O Container Engine Discovered by CrowdStrike (CVE-2022-0811)](https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/) | ## Linux kernel | CVE | Title | Required capabilities | References | | | ------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [CVE-2022-47939](https://nvd.nist.gov/vuln/detail/CVE-2022-47939) | A use-after-free vulnerability in fs/ksmbd/smb2pdu.c | `?` | > [Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability](https://www.zerodayinitiative.com/advisories/ZDI-22-1690/) | | | [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918) | A type confusion bug in nft\_set\_elem\_init that leads to a buffer overflow. | CAP\_NET\_ADMIN |> CVE-2022-34918 A crack in the Linux firewall
> Github: randorisec/CVE-2022-34918-LPE-PoC
| | | [CVE-2022-32250](https://nvd.nist.gov/vuln/detail/CVE-2022-32250) | A use-after-free vulnerability in the Netfilter subsystem | `?` |> Linux Kernel Exploit (CVE-2022-32250) with mqueue
> SETTLERS OF NETLINK: Exploiting a limited UAF in nf\_tables (CVE-2022-32250)
| | | [CVE-2022-29582](https://nvd.nist.gov/vuln/detail/CVE-2022-29582) | A use-after-free vulnerability in fs/io\_uring.c due to a race condition in io\_uring timeouts | - |> CVE-2022-29582: An io\_uring vulnerability
> Github: Ruia-ruia/CVE-2022-29582-Exploit
| | | [CVE-2022-27666](https://nvd.nist.gov/vuln/detail/CVE-2022-27666) | A heap buffer overflow vulnerability in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c that allows a local attacker with a normal user privilege to overwrite kernel heap objects. | `?` |> CVE-2022-27666: Exploit esp6 modules in Linux kernel
> Github: plummm/CVE-2022-27666
| | | [CVE-2022-2602](https://access.redhat.com/security/cve/cve-2022-2602) | A use-after-free vulnerability when an io\_uring request is being processed. | |> DirtyCred Remastered: how to turn an UAF into Privilege Escalation
> Github: LukeGix/CVE-2022-2602
| | | [CVE-2022-2588](https://access.redhat.com/security/cve/cve-2022-2588) | A use-after-free vulnerability in route4\_change in the net/sched/cls\_route.c filter implementation in the Linux kernel. | CAP\_NET\_ADMIN |> DirtyCred: Opening Pandora’s Box to Current and Future Container Escapes
| | | [CVE-2022-25636](https://nvd.nist.gov/vuln/detail/CVE-2022-25636) | An out-of-bounds memory access leads to privilege escalation | CAP\_NET\_ADMIN | [The Discovery and Exploitation of CVE-2022-25636](https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/) | | | [CVE-2022-1786](https://nvd.nist.gov/vuln/detail/CVE-2022-1786) | A use-after-free flaw in io\_uring subsystem in the way a user sets up a ring with IORING\_SETUP\_IOPOLL with more than one task completing submissions on this ring. | `?` | [CVE-2022-1786 A Journey To The Dawn](https://blog.kylebot.net/2022/10/16/CVE-2022-1786/) | | | [CVE-2022-1015](https://nvd.nist.gov/vuln/detail/CVE-2022-1015) | A flaw in linux/net/netfilter/nf\_tables\_api.c of the netfilter subsystem that allows a local user to cause an out-of-bounds write issue | CAP\_NET\_ADMIN |> CVE-2022-1015: A validation flaw in Netfilter leading to Local Privilege Escalation
> How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf\_tables
| | | [CVE-2022-0995](https://nvd.nist.gov/vuln/detail/CVE-2022-0995) | An out-of-bounds memory write flaw in watch\_queue event notification subsystem that can overwrite parts of the kernel state. | `?` | [Github: Bonfee/CVE-2022-0995](https://github.com/Bonfee/CVE-2022-0995) | | | [CVE-2022-0847](https://nvd.nist.gov/vuln/detail/cve-2022-0847) | A vulnerability which allows overwriting data in arbitrary read-only files and leads to privilege escalation via injecting code into root processes | CAP\_DAC\_READ\_SEARCH |> The Dirty Pipe Vulnerability
> DirtyPipe (CVE-2022-0847) – the new DirtyCoW?
> Github: greenhandatsjtu/CVE-2022-0847-Container-Escape
| | | [CVE-2022-0492](https://nvd.nist.gov/vuln/detail/CVE-2022-0492) | Missing verification allows setting the `release_agent` file for the process without administrative privileges |CAP\_SYS\_ADMIN
Disabled AppArmor/SELinux
Disabled Seccomp
| [New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/) | | | [CVE-2022-0185](https://access.redhat.com/security/cve/cve-2022-0185) | A heap-based buffer overflow flaw in the legacy\_parse\_param function in the Filesystem Context functionality of the Linux kernel |CAP\_SYS\_ADMIN
or unshare(CLONE\_NEWNS | CLONE\_NEWUSER)
|> CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers
> CVE-2022-0185 in Linux Kernel Can Allow Container Escape in Kubernetes
> Github: Crusaders-of-Rust/CVE-2022-0185
| | [CVE-2021-22555](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22555) | A heap out-of-bounds write in Linux Netfilter | CAP\_NET\_ADMIN | [CVE-2021-22555: Turning \x00\x00 into 10000$](https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html) | | | [CVE-2021-31440](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31440) | The flaw in handling of eBPF programs leads to escalate privileges | CAP\_SYS\_MODULE | [CVE-2021-31440: AN INCORRECT BOUNDS CALCULATION IN THE LINUX KERNEL EBPF VERIFIER](https://www.zerodayinitiative.com/blog/2021/5/26/cve-2021-31440-an-incorrect-bounds-calculation-in-the-linux-kernel-ebpf-verifier) | | | [CVE-2020-8835](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8835) | The bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory | CAP\_SYS\_ADMIN | [CVE-2020-8835: LINUX KERNEL PRIVILEGE ESCALATION VIA IMPROPER EBPF PROGRAM VERIFICATION](https://www.zerodayinitiative.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification) | | | [CVE-2017-7308](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308) | The packet\_set\_ring function in net/packet/af\_packet.c does not properly validate certain block-size data, which allows local users to gain privileges via crafted system calls. | CAP\_NET\_RAW | [Exploiting the Linux kernel via packet sockets](https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html) | | ## RunC | CVE | Title | Affected versions | References | | ------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------- | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [CVE-2021-30465](https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r) | mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs | <=1.0.0-rc94 |> Github advisories: GHSA-c3xm-pvg7-gh7r
| | [CVE-2019-19921](https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw) | procfs race condition with a shared volume mount | <1.0.0-rc10 | [Github advisories: GHSA-fh74-hm69-rqjw](https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw) | | [CVE-2019-5736](https://nvd.nist.gov/vuln/detail/CVE-2019-5736) | Overwrite host runc binary due to file-descriptor mishandling | <=1.0-rc6 |> CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host
> Breaking out of Docker via runC – Explaining CVE-2019-5736
| ## References * [Container Security Site: Container CVE List](https://www.container-security.site/general_information/container_cve_list.html) * Zeronights 2021: Dmitriy Evdokimov – Container escapes Kubernetes edition * [Video](https://www.youtube.com/watch?v=JoLgVBTc73c) * [Slides](https://zeronights.ru/wp-content/uploads/2021/09/zn2021_container_escapes_kubernetes_edition_v4.pdf)