Retour au blog
DockerKubernetesCVE-2019-5736containersescapecluster

Docker and Kubernetes: Critical CVEs and Container Security

Docker and Kubernetes concentrate vulnerabilities enabling container escape and cluster compromise. Analysis of major CVEs and hardening your containerized infrastructure.

23 avril 20263 min de lecture

Container orchestration with Docker and Kubernetes has become the standard for modern infrastructure. But vulnerabilities in these components can allow an attacker to escape a container and compromise the host, or seize control of an entire Kubernetes cluster.

CVE-2019-5736: Runc Container Escape (CVSS 8.6)

The Most Famous Container Escape

CVE-2019-5736 is a vulnerability in runc — the container runtime used by Docker, containerd, CRI-O and others. It allows a malicious container to overwrite the runc binary on the host, gaining arbitrary code execution on the host system with root privileges.

How it works:

By exploiting the fact that /proc/self/exe inside a container points to the host's runc binary during execution, an attacker can:

  1. Open a file descriptor to /proc/self/exe
  2. Wait for the runc process to finish
  3. Overwrite the runc binary with malicious code
  4. The next runc execution runs the malicious code on the host

Affected versions: runc < 1.0-rc6, Docker < 18.09.2

CVE-2022-0492: Escape via cgroup v1 (CVSS 7.8)

Improper permission checking in Linux cgroup management allowed an unprivileged container to write to a cgroup's release_agent file, which was executed with host root privileges when the cgroup was released.

CVE-2021-25741: Symlink Escape in Kubernetes (CVSS 8.1)

A flaw in kubelet allowed a malicious pod to create symbolic links that, during hostPath volume mounting, granted access to arbitrary files on the Kubernetes host node, including system secrets.

CVE-2018-1002105: Privilege Escalation in Kubernetes (CVSS 9.8)

One of the worst Kubernetes CVEs. A flaw in the Kubernetes API server allowed any authenticated user (even without special privileges) to execute requests directly to API backends with the API server's own privileges — i.e., cluster-admin rights.

CVE-2024-21626: Runc Escape (CVSS 8.6)

In 2024, a new runc escape via improperly handled WORKDIR. A container could escape to the host by using a file descriptor left open to the working directory during container execution.

Securing Docker

1. Never Run Containers with --privileged

# DANGEROUS — grants full host access
docker run --privileged myimage

# CORRECT — restrict capabilities
docker run --cap-drop ALL --cap-add NET_BIND_SERVICE myimage

2. Use Non-Root Users in Containers

# Dockerfile
FROM node:18-alpine
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser

3. Enable Security Profiles (AppArmor/Seccomp)

# Use Docker's default seccomp profile
docker run --security-opt seccomp=/etc/docker/seccomp.json myimage

4. Update Docker and runc Regularly

# Check versions
docker version
runc --version

# Update
apt-get update && apt-get upgrade docker-ce containerd.io

5. Scan Images with Trivy

# Scan an image for CVEs
trivy image nginx:latest
trivy image --severity HIGH,CRITICAL myapp:1.0

Securing Kubernetes

1. Enable RBAC and Least Privilege

# Create a restricted role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

2. Use Pod Security Standards

# Enforce strict security on a namespace
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted

3. Network Policies to Isolate Pods

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  # No rules = all incoming traffic blocked by default

4. Enable Kubernetes Audit Logging

# kube-apiserver flags
--audit-log-path=/var/log/kubernetes/audit.log
--audit-log-maxage=30
--audit-policy-file=/etc/kubernetes/audit-policy.yaml

5. Encrypt Secrets at Rest

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - aescbc:
      keys:
      - name: key1
        secret: <base64-encoded-secret>

6. Never Expose the Kubernetes Dashboard to the Internet

The Kubernetes Dashboard has been a vector for numerous compromises (Tesla, Shopify...) when exposed without authentication.

Container Security Tools

  • Trivy: CVE scanner for images and clusters
  • Falco: runtime anomaly detection in containers
  • kube-bench: CIS Kubernetes compliance audit
  • kube-hunter: automated Kubernetes penetration testing
  • OPA/Gatekeeper: policy enforcement for Kubernetes

Check Docker and Kubernetes CVEs on cveo.tech — search for docker, kubernetes or runc for a complete inventory.

Surveillez les CVE avec l'IA

Recherche IA, scoring CVSS, surveillance de parc et alertes automatiques.

Essayer la recherche IA →Créer un compte gratuit

Articles similaires

Comment suivre les vulnérabilités CVE de son parc informatique

Guide complet pour surveiller et gérer les CVE affectant votre parc informatique : méthodes, outils et bonnes pratiques pour les équipes IT et RSSI.

Guide du patch management : comment traiter les CVE rapidement et efficacement

Découvrez comment mettre en place un processus de patch management CVE robuste : SLA par sévérité, étapes clés, outils et erreurs à éviter pour protéger votre SI.

Les meilleurs outils CVE en 2026 : comparatif complet

Comparatif des meilleurs outils de gestion et surveillance CVE en 2026 : solutions open source, plateformes SaaS, scanners. Quel outil choisir selon votre contexte ?