runc container escape via symlink race condition — malicious container image can write to host filesystem on startup. Update runc and container runtimes. Scan all container images for malicious symlink patterns before allowing execution.
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. An attacker could create a malicious container image that, when started, causes the container management software to write files anywhere on the host filesystem.
Supernova subscribers receive AI-triaged CVE alerts the moment they're published — before the PoC drops.
Start Supernova — $99/mo →