Back to blog
DockerKubernetesCVE-2019-5736containersescapecluster

Docker and Kubernetes: Critical CVEs and Container Security

Docker and Kubernetes concentrate vulnerabilities enabling container escape and cluster compromise. Analysis of major CVEs and hardening your containerized infrastructure.

April 23, 20263 min read

Container orchestration with Docker and Kubernetes has become the standard for modern infrastructure. But vulnerabilities in these components can allow an attacker to escape a container and compromise the host, or seize control of an entire Kubernetes cluster.

CVE-2019-5736: Runc Container Escape (CVSS 8.6)

The Most Famous Container Escape

CVE-2019-5736 is a vulnerability in runc — the container runtime used by Docker, containerd, CRI-O and others. It allows a malicious container to overwrite the runc binary on the host, gaining arbitrary code execution on the host system with root privileges.

How it works:

By exploiting the fact that /proc/self/exe inside a container points to the host's runc binary during execution, an attacker can:

  1. Open a file descriptor to /proc/self/exe
  2. Wait for the runc process to finish
  3. Overwrite the runc binary with malicious code
  4. The next runc execution runs the malicious code on the host

Affected versions: runc < 1.0-rc6, Docker < 18.09.2

CVE-2022-0492: Escape via cgroup v1 (CVSS 7.8)

Improper permission checking in Linux cgroup management allowed an unprivileged container to write to a cgroup's release_agent file, which was executed with host root privileges when the cgroup was released.

CVE-2021-25741: Symlink Escape in Kubernetes (CVSS 8.1)

A flaw in kubelet allowed a malicious pod to create symbolic links that, during hostPath volume mounting, granted access to arbitrary files on the Kubernetes host node, including system secrets.

CVE-2018-1002105: Privilege Escalation in Kubernetes (CVSS 9.8)

One of the worst Kubernetes CVEs. A flaw in the Kubernetes API server allowed any authenticated user (even without special privileges) to execute requests directly to API backends with the API server's own privileges — i.e., cluster-admin rights.

CVE-2024-21626: Runc Escape (CVSS 8.6)

In 2024, a new runc escape via improperly handled WORKDIR. A container could escape to the host by using a file descriptor left open to the working directory during container execution.

Securing Docker

1. Never Run Containers with --privileged

# DANGEROUS — grants full host access
docker run --privileged myimage

# CORRECT — restrict capabilities
docker run --cap-drop ALL --cap-add NET_BIND_SERVICE myimage

2. Use Non-Root Users in Containers

# Dockerfile
FROM node:18-alpine
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser

3. Enable Security Profiles (AppArmor/Seccomp)

# Use Docker's default seccomp profile
docker run --security-opt seccomp=/etc/docker/seccomp.json myimage

4. Update Docker and runc Regularly

# Check versions
docker version
runc --version

# Update
apt-get update && apt-get upgrade docker-ce containerd.io

5. Scan Images with Trivy

# Scan an image for CVEs
trivy image nginx:latest
trivy image --severity HIGH,CRITICAL myapp:1.0

Securing Kubernetes

1. Enable RBAC and Least Privilege

# Create a restricted role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

2. Use Pod Security Standards

# Enforce strict security on a namespace
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted

3. Network Policies to Isolate Pods

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  # No rules = all incoming traffic blocked by default

4. Enable Kubernetes Audit Logging

# kube-apiserver flags
--audit-log-path=/var/log/kubernetes/audit.log
--audit-log-maxage=30
--audit-policy-file=/etc/kubernetes/audit-policy.yaml

5. Encrypt Secrets at Rest

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - aescbc:
      keys:
      - name: key1
        secret: <base64-encoded-secret>

6. Never Expose the Kubernetes Dashboard to the Internet

The Kubernetes Dashboard has been a vector for numerous compromises (Tesla, Shopify...) when exposed without authentication.

Container Security Tools

  • Trivy: CVE scanner for images and clusters
  • Falco: runtime anomaly detection in containers
  • kube-bench: CIS Kubernetes compliance audit
  • kube-hunter: automated Kubernetes penetration testing
  • OPA/Gatekeeper: policy enforcement for Kubernetes

Check Docker and Kubernetes CVEs on cveo.tech — search for docker, kubernetes or runc for a complete inventory.

Monitor CVEs with AI

AI-powered search, CVSS scoring, asset monitoring and automatic alerts.

Try AI search →Create free account

Related articles

Patch Management Guide: How to Handle CVEs Quickly and Effectively

Learn how to build a robust CVE patch management process: SLAs by severity, key steps, tools, and common mistakes to avoid to protect your infrastructure.

How to Monitor CVE Vulnerabilities Across Your IT Assets

A complete guide to tracking and managing CVEs affecting your IT infrastructure: methods, tools, and best practices for IT teams and security managers.

How to Conduct a CVE Security Audit of Your IT Infrastructure

Complete guide to conducting a CVE security audit: asset inventory, vulnerability scanning, CVSS scoring, remediation planning, and CISO best practices.