Navigating the Waters of Container Security : Understanding CVE-2024-21626 the “Leaky Vessels” Vulnerabilities in Docker, runc, and BuildKit

container security vulnerabilities, CVE-2024-21626 exploit, BuildKit security flaw, application security best practices, vulnerability management in containers, Docker container protection, runC vulnerability mitigation, secure container deployment, patching container vulnerabilities, securing Kubernetes environments

In the world of app sec, ASPM and container security, a new series of vulnerabilities affecting core container functionalities have been discovered: CVE-2024-21626, dubbed the “Leaky Vessels,” has emerged, casting a spotlight on the critical components of containerization technology—Docker, runs, and BuildKit. Together with the main vulnerability, other variations have been recorded all above 8.7 to the last one, a perfect 10: CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652. These vulnerabilities underscore the ongoing challenge of vulnerability management within container ecosystems, serving as a crucial reminder of the importance of maintaining robust security practices in application development and deployment.

The CVE-2024-21626 “Leaky Vessels” Vulnerabilities Explained

At the heart of the “Leaky Vessels” vulnerabilities lies a significant flaw in runc, the underlying container runtime used by Docker and other container platforms, identified as CVE-2024-21626. This vulnerability allows attackers to gain unauthorized access to the host operating system from within a container, posing a severe risk to system integrity and data security. Alongside this, additional vulnerabilities in BuildKit—a toolkit for converting code into container images used in conjunction with runc—further exacerbate the threat landscape. These include CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652, each presenting unique challenges in the context of container security.

Consequences and Impact CVE-2024-21626

The ramifications of these vulnerabilities are far-reaching. Attackers exploiting these flaws could potentially access sensitive data, manipulate system operations, or launch further attacks from the compromised system. The “Leaky Vessels” vulnerabilities serve as a stark reminder of the potential for significant downtime and data loss if not promptly and effectively addressed.

Chaining Vulnerabilities: A Closer Look

The interplay between the vulnerabilities in runc and BuildKit presents a complex scenario where an attacker could chain these vulnerabilities to escalate privileges and execute arbitrary code on the host system. This chain of vulnerabilities highlights the intricate dependencies within container runtime environments and the need for comprehensive security measures that span across different components of the container ecosystem.

Recently disclosed vulnerabilities, CVE-2024-21626 and others related to runC and BuildKit, highlight the ongoing challenges in securing containerized environments. Here’s a closer look at how these vulnerabilities function, offering insights into their mechanisms and implications.

Understanding CVE-2024-21626

CVE-2024-21626 exposes a critical flaw within the runC container runtime. This vulnerability arises from an internal file descriptor leak, specifically when the process.cwd is manipulated to access the host’s filesystem namespace. By running a malicious image or building one using a malicious base image, attackers can exploit this leak. The manipulation of process.cwd()—which returns the current working directory—to an unauthorized directory on the host, essentially grants the malicious container binary unfettered access to the host filesystem. This access enables a wide range of nefarious activities, from data theft to further system compromise.

The Mechanics of CVE-2024-23651 in BuildKit

CVE-2024-23651 targets BuildKit’s handling of cache volumes during the build process. This vulnerability leverages a specific condition related to the mounting of cache volumes, allowing attackers to mount a persistent directory at a controlled location. The crux of the issue lies in the manipulation of the source path, permitting an arbitrary directory from the host to be mounted into the container’s filesystem. This effectively grants default root user privileges over the host, contingent on the attacker deciphering the working directory path. Mitigation efforts in BuildKit version 0.12.5 have focused on enhancing the validation of the source directory to thwart such attacks.

Exploring CVE-2024-23652 and Its Implications

CVE-2024-23652, another vulnerability within BuildKit, emerges during the cleanup phase of temporarily added directories. The vulnerability is activated if the target directory for mounting files is altered with a symbolic link to another directory on the host. This allows attackers to specify removal operations for any file on the host, exploiting the cleanup process. The resolution in BuildKit version 0.12.5 ensures that the directory cleanup is strictly confined to the container’s filesystem, eliminating the risk of external manipulation.

CVE-2024-23653: GRPC Security Flaw in BuildKit

Lastly, CVE-2024-23653 highlights a vulnerability in BuildKit’s interaction with GRPC, a prevalent remote access framework. This issue arises during the build process when a custom parser format, substituted for the default, manipulates GRPC server interactions to launch containers with elevated privileges. The mitigation strategy involves the BuildKit daemon rejecting the creation of privileged containers if the returned arguments from the GRPC server deviate from expected parameters, a security enhancement incorporated from BuildKit v0.12.5 onwards.

Learning from the Past: Previous runc Vulnerabilities

This is not the first time runc has been in the spotlight for security vulnerabilities. Previous issues, such as the Runcscape vulnerability (CVE-2019-5736), have shed light on the potential for container escape and underscore the importance of ongoing vigilance and prompt updates to mitigate risks associated with container runtimes.

Addressing the Vulnerabilities

To safeguard against these vulnerabilities, it is imperative for organizations to prioritize security updates and patches from vendors. Docker and other tools utilizing runc and BuildKit have already released updates to address these issues. Additionally, inspecting Dockerfiles for unsafe commands and employing detection tools to identify potential exploits can further enhance security postures.

For more detailed insights and guidance on mitigating these vulnerabilities, refer to the expert analysis provided by Snyk and KSOC in their respective blogs:

Red Hat advised inspecting Dockerfiles with the Run and WORKDIR directives to ensure they have no escapes or malicious paths. For those with Linux kernels supporting eBPF, Snyk has released a detector for the vulnerability, leaky-vessels-runtime-detector.

Get an overview of your asset lineage

Exploitation and analysis of CVE-2023-50164

No evidence of exploitation so far nonetheless, the major container house like AWS, Chainguard etc… are uploading clean images

PoC not found exploited in the wild:

Several thread on X/ twitter are following the vulnerability and showing the exploit

How can ASPM Help

In the rapidly evolving field of application security, the ability to swiftly identify vulnerabilities across diverse environments, including containers and traditional virtual machines, is paramount. Advanced Security and Protection Mechanisms (ASPM) play a crucial role in this process by leveraging sophisticated scanning technologies and libraries designed for deep inspection. These mechanisms are engineered to detect vulnerabilities by analyzing the libraries and dependencies used within applications, regardless of the underlying infrastructure. ASPM tools integrate seamlessly with CI/CD pipelines, providing real-time feedback and ensuring that any security issues are identified at the earliest stage of development. Whether the application runs in a containerized environment, orchestrated by platforms like Docker or Kubernetes, or within a traditional virtual machine setup, ASPM facilitates a proactive approach to vulnerability management. This approach not only streamlines the security workflow but also significantly reduces the window of opportunity for attackers, enhancing the overall security posture of the application and protecting sensitive data from potential breaches.


The discovery of the “Leaky Vessels” vulnerabilities serves as a critical reminder of the inherent risks in containerized environments and the need for proactive vulnerability management and application security practices. By staying informed about potential vulnerabilities, applying timely updates, and employing comprehensive security strategies, organizations can navigate the choppy waters of container security and safeguard their applications against emerging threats.

How Phoenix Security Can Help

attack graph, phoenix security

Phoenix Security ASPM helps organizations identify and trace which systems have vulnerabilities, understanding the relation between code and cloud. One of the significant challenges in securing applications is knowing where and how frameworks like Struts are used. ASPM tools can scan the application portfolio to identify instances of Struts, mapping out where it is deployed across the organization. This information is crucial for targeted security measures and efficient patch management. Phoenix Security’s robust Application Security Posture Management (ASPM) system is adept at not just managing, but preempting the exploitation of vulnerabilities through its automated identification system. This system prioritises critical vulnerabilities, ensuring that teams can address the most pressing threats first, optimising resource allocation and remediation efforts.

Phoenix Security, Struts, Apache, Remote Code Execution, Cybersecurity, ASPM CVE-2017-5638, CVE-2023-50164

The Role of Application Security Posture Management (ASPM):

ASPM is vital in managing and securing applications like those built with Apache Struts. It involves continuous assessment, monitoring, and improvement of the security posture of applications. ASPM tools can:

  1. Identify and Track Struts Components: Locate where Struts is implemented within the application infrastructure.
  2. Vulnerability Management: Detect known vulnerabilities in Struts and prioritize them for remediation.
  3. Configuration Monitoring: Ensure Struts configurations adhere to best security practices.
  4. Compliance: Check if the usage of Struts aligns with relevant cybersecurity regulations and standards.
Phoenix Security, Struts, Apache, Remote Code Execution, Cybersecurity, ASPM CVE-2017-5638, CVE-2023-50164, phoenix security

By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.

Get an overview of your asset lineage


Previous Issues of Vulnerability Weekly

Other Useful resources

Data Visualization of vulnerabilities in the wild

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Explore ASPM’s role in modern application security, offering a panoramic view that extends beyond code vulnerabilities. This guide demystifies concepts like traceability, reachability analysis, and asset lineage, pivotal for securing digital assets. Learn how ASPM empowers organizations with actionable insights for precise vulnerability management. #Cybersecurity #ASPM #ApplicationSecurity
Francesco Cipollone
Explore the transformative role of ASPM in cybersecurity. Uncover how Application Security Posture Management aligns business and security objectives for effective vulnerability management and risk reduction. Discover Phoenix Security’s innovative approach to tackling the staggering challenge of CVEs with a strategic focus on prioritization. #ASPM #Cybersecurity #VulnerabilityManagement
Francesco Cipollone
Explore the critical insights into the latest container security vulnerabilities named leaky vessels, including CVE-2024-21626, CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652, BuildKit flaws, with our comprehensive guide on mitigation strategies, best practices for application security, and tips for robust vulnerability management in Docker and Kubernetes environments. Stay ahead in securing your container deployments against potential threats with ASPM help
Francesco Cipollone

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.