Container Escape
What is Container Escape?
Container EscapeAn exploit that breaks the isolation boundary between a container and its host, giving the attacker code execution on the underlying node or kernel.
Container escape exploits weaknesses in the container runtime, kernel, or misconfigured host namespaces to break out of an isolated container and gain privileges on the host operating system. Classic examples include CVE-2019-5736 in runC, where a malicious container could overwrite the runC binary and gain root on the host, and abuses of privileged containers, mounted Docker sockets, or shared PID namespaces. Once escaped, the attacker often pivots laterally across the cluster, steals kubelet credentials, and accesses other workloads. Mitigations include rootless containers, seccomp and AppArmor profiles, read-only filesystems, gVisor or Kata sandboxes, and prompt patching of runtime CVEs.
● Examples
- 01
Exploiting CVE-2019-5736 to overwrite /usr/bin/runc and execute code as root on the host.
- 02
A privileged container mounting /var/run/docker.sock and creating a new container with the host filesystem.
● Frequently asked questions
What is Container Escape?
An exploit that breaks the isolation boundary between a container and its host, giving the attacker code execution on the underlying node or kernel. It belongs to the Cloud Security category of cybersecurity.
What does Container Escape mean?
An exploit that breaks the isolation boundary between a container and its host, giving the attacker code execution on the underlying node or kernel.
How does Container Escape work?
Container escape exploits weaknesses in the container runtime, kernel, or misconfigured host namespaces to break out of an isolated container and gain privileges on the host operating system. Classic examples include CVE-2019-5736 in runC, where a malicious container could overwrite the runC binary and gain root on the host, and abuses of privileged containers, mounted Docker sockets, or shared PID namespaces. Once escaped, the attacker often pivots laterally across the cluster, steals kubelet credentials, and accesses other workloads. Mitigations include rootless containers, seccomp and AppArmor profiles, read-only filesystems, gVisor or Kata sandboxes, and prompt patching of runtime CVEs.
How do you defend against Container Escape?
Defences for Container Escape typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Container Escape?
Common alternative names include: Container breakout, Docker escape.
● Related terms
- cloud-security№ 598
Kubernetes Cluster Attack
An intrusion against a Kubernetes (K8s) cluster that abuses exposed APIs, weak RBAC, or vulnerable workloads to gain control of the control plane or worker nodes.
- cloud-security№ 505
IAM Privilege Escalation
Abusing existing cloud IAM permissions to gain higher privileges, often via policy editing, role passing, or self-granting administrative rights.
- cloud-security№ 187
Cloud Metadata SSRF
A server-side request forgery attack that abuses a vulnerable application to query a cloud provider's instance metadata service and steal temporary credentials.
- cloud-security№ 183
Cloud Data Exfiltration
The unauthorized copy or transfer of data out of a cloud account, often via object storage APIs, snapshots, replication, or attacker-controlled accounts.
- vulnerabilities№ 860
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.
● See also
- № 182Cloud Cryptojacking
- № 964Sandbox Escape
- № 346Docker Socket Attack