CVE-2024-21626 is a high-severity vulnerability affecting the opencontainers runc tool, versions from 1.0.0-rc93 up to but not including 1.1.12. runc is a widely used CLI tool for spawning and running Linux containers according to the Open Container Initiative (OCI) specification. The vulnerability arises from an internal file descriptor leak that allows unintended exposure of file descriptors to container processes. Specifically, an attacker can exploit this flaw to cause a newly spawned container process—either via 'runc exec' or 'runc run'—to have its working directory mapped within the host filesystem namespace. This misconfiguration enables a container escape, granting the container process unauthorized access to the host filesystem. The vulnerability manifests in three main attack variants: (1) a malicious container image can exploit the leak during 'runc run' to gain host filesystem access; (2) an attacker using 'runc exec' can spawn a container process with host filesystem visibility; and (3) variants of these attacks can overwrite semi-arbitrary host binaries, potentially leading to full container escapes and complete host compromise. The vulnerability is classified under CWE-403 (Exposure of File Descriptor to Unintended Control Sphere) and CWE-668 (Exposure of Resource to Wrong Sphere). The CVSS v3.1 base score is 8.6, reflecting high impact on confidentiality, integrity, and availability, with a complexity of low and no privileges required but user interaction needed. The vulnerability was patched in runc version 1.1.12. No known exploits are currently reported in the wild, but the severity and nature of the flaw make it a critical risk for containerized environments that rely on vulnerable runc versions.

For European organizations, this vulnerability poses a significant risk to containerized infrastructure, which is widely adopted across industries such as finance, healthcare, manufacturing, and government services. Successful exploitation could lead to container escapes, allowing attackers to access sensitive host files, modify critical binaries, or execute arbitrary code on the host system. This undermines the isolation guarantees of containerization, potentially leading to data breaches, service disruptions, and lateral movement within networks. Given the increasing reliance on container orchestration platforms like Kubernetes—which commonly use runc as the default runtime—the vulnerability could impact cloud-native applications and microservices architectures prevalent in Europe. Organizations handling regulated data (e.g., GDPR-protected personal data) face compliance risks if host systems are compromised. Additionally, critical infrastructure operators using containerized environments could experience operational disruptions or sabotage. The lack of known exploits in the wild provides a window for proactive patching, but the high CVSS score indicates that exploitation could have severe consequences.

European organizations should immediately verify their use of runc versions and upgrade to version 1.1.12 or later, which contains the patch for this vulnerability. Beyond patching, organizations should implement strict container runtime security policies, including: (1) enforcing least privilege for container processes and avoiding running containers with unnecessary capabilities; (2) employing container security tools that monitor for anomalous container behavior and detect container escapes; (3) isolating critical workloads on dedicated hosts or nodes with enhanced monitoring; (4) using kernel security modules (e.g., SELinux, AppArmor) to restrict container access to host resources; (5) regularly auditing container images to prevent malicious images that could exploit this vulnerability; and (6) integrating vulnerability scanning into CI/CD pipelines to catch vulnerable runc versions before deployment. Network segmentation and host-based intrusion detection systems can help detect and contain potential breaches resulting from exploitation. Finally, organizations should maintain an incident response plan tailored to container escape scenarios.