# CVE List ## Containerd | CVE | Title | Affected versions | References | | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [CVE-2022-23648](https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7) | Containers that launched through containerd's CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host |

<= 1.4.12

1.5.0 - 1.5.9

1.6.0

|

> Technical Advisory: containerd - Insecure handling of image volumes

> PoC for CVE-2022-23648

| | [CVE-2021-41103](https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq) | Insufficiently restricted permissions on container root and plugin directories |

<1.4.11

<1.5.7

| [Github advisories: GHSA-c2h3-6mxw-7mvq](https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq) | | [CVE-2021-32760](https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w) | Archive package allows chmod of file outside of unpack target directory |

<=1.4.7

<=1.5.3

| [Github advisories: GHSA-c72p-9xmj-rx3w](https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w) | | [CVE-2021-21334](https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4) | containerd CRI plugin: environment variables can leak between containers |

<=1.3.9

<= 1.4.3

| [Github advisories: GHSA-6g2q-w5j3-fwh4](https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4) | | [CVE-2020-15257](https://research.nccgroup.com/2020/11/30/technical-advisory-containerd-containerd-shim-api-exposed-to-host-network-containers-cve-2020-15257/) | containerd-shim API Exposed to Host Network Containers |

<=1.3.7

1.4.0

1.4.1

| [Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)](https://research.nccgroup.com/2020/11/30/technical-advisory-containerd-containerd-shim-api-exposed-to-host-network-containers-cve-2020-15257/) | | [CVE-2020-15157](https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c) | containerd v1.2.x can be coerced into leaking credentials during image pull | < 1.3.0 |

> Github advisories: GHSA-742w-89gc-8m9c

> CVE-2020-15157 "ContainerDrip" Write-up

| ## CRI-O | CVE | Title | Affected versions | References | | --------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [CVE-2022-0811](https://github.com/cri-o/cri-o/security/advisories/GHSA-6x2m-w449-qwx7) | Rights to deploy a pod on a Kubernetes cluster leads to abusing the `kernel.core_pattern` parameter | `>1.19.0` | [cr8escape: New Vulnerability in CRI-O Container Engine Discovered by CrowdStrike (CVE-2022-0811)](https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/) | ## Linux kernel | CVE | Title | Required capabilities | References | | | ------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [CVE-2022-47939](https://nvd.nist.gov/vuln/detail/CVE-2022-47939) | A use-after-free vulnerability in fs/ksmbd/smb2pdu.c | `?` | > [Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability](https://www.zerodayinitiative.com/advisories/ZDI-22-1690/) | | | [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918) | A type confusion bug in nft\_set\_elem\_init that leads to a buffer overflow. | CAP\_NET\_ADMIN |

> CVE-2022-34918 A crack in the Linux firewall

> Github: randorisec/CVE-2022-34918-LPE-PoC

| | | [CVE-2022-32250](https://nvd.nist.gov/vuln/detail/CVE-2022-32250) | A use-after-free vulnerability in the Netfilter subsystem | `?` |

> Linux Kernel Exploit (CVE-2022-32250) with mqueue

> SETTLERS OF NETLINK: Exploiting a limited UAF in nf\_tables (CVE-2022-32250)

| | | [CVE-2022-29582](https://nvd.nist.gov/vuln/detail/CVE-2022-29582) | A use-after-free vulnerability in fs/io\_uring.c due to a race condition in io\_uring timeouts | - |

> CVE-2022-29582: An io\_uring vulnerability

> Github: Ruia-ruia/CVE-2022-29582-Exploit

| | | [CVE-2022-27666](https://nvd.nist.gov/vuln/detail/CVE-2022-27666) | A heap buffer overflow vulnerability in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c that allows a local attacker with a normal user privilege to overwrite kernel heap objects. | `?` |

> CVE-2022-27666: Exploit esp6 modules in Linux kernel

> Github: plummm/CVE-2022-27666

| | | [CVE-2022-2602](https://access.redhat.com/security/cve/cve-2022-2602) | A use-after-free vulnerability when an io\_uring request is being processed. | |

> DirtyCred Remastered: how to turn an UAF into Privilege Escalation

> Github: LukeGix/CVE-2022-2602

| | | [CVE-2022-2588](https://access.redhat.com/security/cve/cve-2022-2588) | A use-after-free vulnerability in route4\_change in the net/sched/cls\_route.c filter implementation in the Linux kernel. | CAP\_NET\_ADMIN |

> DirtyCred: Opening Pandora’s Box to Current and Future Container Escapes

> Markakd/CVE-2022-2588

| | | [CVE-2022-25636](https://nvd.nist.gov/vuln/detail/CVE-2022-25636) | An out-of-bounds memory access leads to privilege escalation | CAP\_NET\_ADMIN | [The Discovery and Exploitation of CVE-2022-25636](https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/) | | | [CVE-2022-1786](https://nvd.nist.gov/vuln/detail/CVE-2022-1786) | A use-after-free flaw in io\_uring subsystem in the way a user sets up a ring with IORING\_SETUP\_IOPOLL with more than one task completing submissions on this ring. | `?` | [CVE-2022-1786 A Journey To The Dawn](https://blog.kylebot.net/2022/10/16/CVE-2022-1786/) | | | [CVE-2022-1015](https://nvd.nist.gov/vuln/detail/CVE-2022-1015) | A flaw in linux/net/netfilter/nf\_tables\_api.c of the netfilter subsystem that allows a local user to cause an out-of-bounds write issue | CAP\_NET\_ADMIN |

> CVE-2022-1015: A validation flaw in Netfilter leading to Local Privilege Escalation

> How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf\_tables

| | | [CVE-2022-0995](https://nvd.nist.gov/vuln/detail/CVE-2022-0995) | An out-of-bounds memory write flaw in watch\_queue event notification subsystem that can overwrite parts of the kernel state. | `?` | [Github: Bonfee/CVE-2022-0995](https://github.com/Bonfee/CVE-2022-0995) | | | [CVE-2022-0847](https://nvd.nist.gov/vuln/detail/cve-2022-0847) | A vulnerability which allows overwriting data in arbitrary read-only files and leads to privilege escalation via injecting code into root processes | CAP\_DAC\_READ\_SEARCH |

> The Dirty Pipe Vulnerability

> DirtyPipe (CVE-2022-0847) – the new DirtyCoW?

> Github: greenhandatsjtu/CVE-2022-0847-Container-Escape

> Github: Al1ex/CVE-2022-0847

| | | [CVE-2022-0492](https://nvd.nist.gov/vuln/detail/CVE-2022-0492) | Missing verification allows setting the `release_agent` file for the process without administrative privileges |

CAP\_SYS\_ADMIN

Disabled AppArmor/SELinux

Disabled Seccomp

| [New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/) | | | [CVE-2022-0185](https://access.redhat.com/security/cve/cve-2022-0185) | A heap-based buffer overflow flaw in the legacy\_parse\_param function in the Filesystem Context functionality of the Linux kernel |

CAP\_SYS\_ADMIN

or unshare(CLONE\_NEWNS | CLONE\_NEWUSER)

|

> CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers

> CVE-2022-0185 in Linux Kernel Can Allow Container Escape in Kubernetes

> Github: Crusaders-of-Rust/CVE-2022-0185

| | [CVE-2021-22555](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22555) | A heap out-of-bounds write in Linux Netfilter | CAP\_NET\_ADMIN | [CVE-2021-22555: Turning \x00\x00 into 10000$](https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html) | | | [CVE-2021-31440](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31440) | The flaw in handling of eBPF programs leads to escalate privileges | CAP\_SYS\_MODULE | [CVE-2021-31440: AN INCORRECT BOUNDS CALCULATION IN THE LINUX KERNEL EBPF VERIFIER](https://www.zerodayinitiative.com/blog/2021/5/26/cve-2021-31440-an-incorrect-bounds-calculation-in-the-linux-kernel-ebpf-verifier) | | | [CVE-2020-8835](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8835) | The bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory | CAP\_SYS\_ADMIN | [CVE-2020-8835: LINUX KERNEL PRIVILEGE ESCALATION VIA IMPROPER EBPF PROGRAM VERIFICATION](https://www.zerodayinitiative.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification) | | | [CVE-2017-7308](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308) | The packet\_set\_ring function in net/packet/af\_packet.c does not properly validate certain block-size data, which allows local users to gain privileges via crafted system calls. | CAP\_NET\_RAW | [Exploiting the Linux kernel via packet sockets](https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html) | | ## RunC | CVE | Title | Affected versions | References | | ------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------- | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [CVE-2021-30465](https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r) | mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs | <=1.0.0-rc94 |

> Github advisories: GHSA-c3xm-pvg7-gh7r

> runc mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs (CVE-2021-30465)

| | [CVE-2019-19921](https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw) | procfs race condition with a shared volume mount | <1.0.0-rc10 | [Github advisories: GHSA-fh74-hm69-rqjw](https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw) | | [CVE-2019-5736](https://nvd.nist.gov/vuln/detail/CVE-2019-5736) | Overwrite host runc binary due to file-descriptor mishandling | <=1.0-rc6 |

> CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host

> Breaking out of Docker via runC – Explaining CVE-2019-5736

| ## References * [Container Security Site: Container CVE List](https://www.container-security.site/general_information/container_cve_list.html) * Zeronights 2021: Dmitriy Evdokimov – Container escapes Kubernetes edition * [Video](https://www.youtube.com/watch?v=JoLgVBTc73c) * [Slides](https://zeronights.ru/wp-content/uploads/2021/09/zn2021_container_escapes_kubernetes_edition_v4.pdf) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.