CVE List

Containerd

CVE	Title	Affected versions	References
CVE-2021-41103	Insufficiently restricted permissions on container root and plugin directories	<1.4.11 <1.5.7	Github advisories: GHSA-c2h3-6mxw-7mvq
CVE-2021-32760	Archive package allows chmod of file outside of unpack target directory	<=1.4.7 <=1.5.3	Github advisories: GHSA-c72p-9xmj-rx3w
CVE-2021-21334	containerd CRI plugin: environment variables can leak between containers	<=1.3.9 <= 1.4.3	Github advisories: GHSA-6g2q-w5j3-fwh4
CVE-2020-15257	containerd-shim API Exposed to Host Network Containers	<=1.3.7 1.4.0 1.4.1	Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)
CVE-2020-15157	containerd v1.2.x can be coerced into leaking credentials during image pull	< 1.3.0	> Github advisories: GHSA-742w-89gc-8m9c > CVE-2020-15157 "ContainerDrip" Write-up

CRI-O

CVE	Title	Affected versions	References
CVE-2022-0811	Rights to deploy a pod on a Kubernetes cluster leads to abusing the kernel.core_pattern parameter	>1.19.0	cr8escape: New Vulnerability in CRI-O Container Engine Discovered by CrowdStrike (CVE-2022-0811)

Linux kernel

CVE	Title	Required capabilities	References
CVE-2022-25636	An out-of-bounds memory access leads to privilege escalation	CAP_NET_ADMIN	The Discovery and Exploitation of CVE-2022-25636
CVE-2022-0492	Missing verification allows setting the release_agent file for the process without administrative privileges	CAP_SYS_ADMIN Disabled AppArmor/SELinux Disabled Seccomp	New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?
CVE-2022-0185	A heap-based buffer overflow flaw in the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel	CAP_SYS_ADMIN or unshare(CLONE_NEWNS|CLONE_NEWUSER)	> CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers > CVE-2022-0185 in Linux Kernel Can Allow Container Escape in Kubernetes > Demo exploits for CVE-2022-0185
CVE-2021-22555	A heap out-of-bounds write in Linux Netfilter	CAP_NET_ADMIN	CVE-2021-22555: Turning \x00\x00 into 10000$
CVE-2021-31440	The flaw in handling of eBPF programs leads to escalate privileges	CAP_SYS_MODULE	CVE-2021-31440: AN INCORRECT BOUNDS CALCULATION IN THE LINUX KERNEL EBPF VERIFIER
CVE-2020-8835	The bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory	CAP_SYS_ADMIN	CVE-2020-8835: LINUX KERNEL PRIVILEGE ESCALATION VIA IMPROPER EBPF PROGRAM VERIFICATION
CVE-2017-7308	The packet_set_ring function in net/packet/af_packet.c does not properly validate certain block-size data, which allows local users to gain privileges via crafted system calls.	CAP_NET_RAW	Exploiting the Linux kernel via packet sockets

RunC

CVE	Title	Affected versions	References
CVE-2021-30465	mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs	<=1.0.0-rc94	> Github advisories: GHSA-c3xm-pvg7-gh7r > runc mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs (CVE-2021-30465)
CVE-2019-19921	procfs race condition with a shared volume mount	<1.0.0-rc10	Github advisories: GHSA-fh74-hm69-rqjw
CVE-2019-5736	Overwrite host runc binary due to file-descriptor mishandling	<=1.0-rc6	> CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host > Breaking out of Docker via runC – Explaining CVE-2019-5736

References

• Container Security Site: Container CVE List

• Zeronights 2021: Dmitriy Evdokimov – Container escapes Kubernetes edition

  • Video

  • Slides