Open Containers Runc Local Command Execution Vulnerability (CVE-2019-5736)

February 12, 2019


Open Containers runc is prone to a local command-execution vulnerability. Runc is a command line utility designed to spawn container systems. It is the container runtime that underpins many open source container management systems including Docker, Kubernetes, containerd, Podman, and CRI-O. [1] [3]


  • A local attacker can exploit this issue to execute arbitrary commands with root privileges.
  • Allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. [2]


  • Runc through version 1.0-rc6.
  • Many popular container management systems and providers are affected including Docker, Kubernetes, containerd, Podman, CRI-O, Amazon AWS, and RedHat Linux.
  • For a list of products and versions affected, please see the links in the References section.


  • Update any vulnerable systems immediately. Exploit code for these vulnerabilities is set to be made public on Feb 18th, 2019.
  • Consult relevant vendor advisories for patch information (e.g. Docker, Kubernetes).