What starting position does this attack require?

The first step is Identify vulnerable runc version (W-RECON-FINGERPRINT) — a reconnaissance primitive. Assumed environment: target runs runc < 1.

What is the final impact of this kill-chain?

The final step lands on Trigger image build / run (K-IMAGE-BACKDOOR), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

CVE-2024-21626 (Leaky Vessels) → container escape

Outdated runc lets a malicious image escape during 'docker build' or 'docker run' via a leaked file descriptor pointing at the host filesystem.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Reconnaissance

Identify vulnerable runc version

W-RECON-FINGERPRINT · Tech Stack Fingerprinting

Privilege Escalation

File descriptor points at host root

K-PRIV-CONTAINER · Privileged Container Escape

Privilege Escalation

Read/write host filesystem

K-HOSTPATH-MOUNT · hostPath Volume Mount

Privilege Escalation

Craft image with WORKDIR /proc/self/fd/<N>

K-CVE-2024-21626 · runc CVE-2024-21626 (Leaky Vessels)

Persistence

Trigger image build / run

K-IMAGE-BACKDOOR · Backdoored Container Image

§ Context

Assumed environment: target runs runc < 1.1.12 (or BuildKit < 0.12.5). Attacker can push a custom image into the build / runtime pipeline.

§ Steps

01
Identify vulnerable runc versionReconnaissance
W-RECON-FINGERPRINT— Tech Stack Fingerprinting
02
File descriptor points at host rootPrivilege Escalation
K-PRIV-CONTAINER— Privileged Container Escape
03
Read/write host filesystemPrivilege Escalation
K-HOSTPATH-MOUNT— hostPath Volume Mount
04
Craft image with WORKDIR /proc/self/fd/<N>Privilege Escalation
K-CVE-2024-21626— runc CVE-2024-21626 (Leaky Vessels)
05
Trigger image build / runPersistence
K-IMAGE-BACKDOOR— Backdoored Container Image

§ Frequently asked

What is the "CVE-2024-21626 (Leaky Vessels) → container escape" attack path?: Outdated runc lets a malicious image escape during 'docker build' or 'docker run' via a leaked file descriptor pointing at the host filesystem. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Identify vulnerable runc version (W-RECON-FINGERPRINT) — a reconnaissance primitive. Assumed environment: target runs runc < 1.
What is the final impact of this kill-chain?: The final step lands on Trigger image build / run (K-IMAGE-BACKDOOR), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

CVE-2024-21626 (Leaky Vessels) → container escape

§ Context

§ Steps

§ Frequently asked

§ Related dossiers

ArgoCD weak RBAC → cluster admin via custom Application

Privileged pod escape → cluster admin

Docker socket exposed in pod → host root