Github.com/opencontainers/runc

This hub aggregates every CVE we track for Github.com/opencontainers/runc, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Github.com/opencontainers/runc.

• CVE-2025-52881runc: LSM labels can be bypassed with malicious config using dummy procfs files7.5Nov 6, 2025
• CVE-2025-52565container escape due to /dev/console mount and related races7.5Nov 6, 2025
• CVE-2025-31133runc container escape via "masked path" abuse due to mount race conditions7.8Nov 6, 2025
• CVE-2024-45310runc can be confused to create empty files/directories on the host3.6Sep 3, 2024
• CVE-2024-21626runc container breakout through process.cwd trickery and leaked fds8.6Jan 31, 2024
• CVE-2023-25809rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc5.0Mar 29, 2023
• CVE-2023-28642AppArmor bypass with symlinked /proc in runc6.1Mar 29, 2023
• CVE-2023-27561runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with ...7.0Mar 3, 2023
• CVE-2022-29162Incorrect Default Permissions in runc5.9May 17, 2022
• CVE-2021-43784Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration6.0Dec 6, 2021
• CVE-2021-30465runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mo...8.5May 27, 2021
• CVE-2019-19921runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers w...7.0Feb 12, 2020
• CVE-2019-16884runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a...7.5Sep 25, 2019
• CVE-2016-9962RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file...6.4Jan 31, 2017
• CVE-2016-3697libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric u...7.8Jun 1, 2016