OverviewQuickstartResponse FieldsAPI ReferenceSDK ReferenceAccount & PortalAI Agent IntegrationCI/CD IntegrationProductsSupply chainFAQ
products / runc

runc

runc is the OCI reference implementation for spawning and running containers. It is the default low-level runtime used by both Docker Engine and containerd — container escape vulnerabilities are reported against runc directly, not against the higher-level runtimes that delegate to it. NVD tracks it as linuxfoundation:runc (not opencontainers:runc; the latter has no CPE dictionary entries).

api usage

Querying runc

product slugrunc
version format1.1.11, 1.4.2
bash
curl "https://api.attestd.io/v1/check?product=runc&version=1.0.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

runc 1.1.11 is affected by CVE-2024-21626, a file descriptor leak that allows a containerized process to escape to the host filesystem. It is on the CISA KEV catalog and was widely exploited in early 2024.

json
{
  "product": "runc",
  "version": "1.0.0",
  "supported": true,
  "risk_state": "high",
  "risk_factors": [
    "remote_code_execution",
    "no_authentication_required",
    "patch_available"
  ],
  "actively_exploited": false,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "1.0.0-rc95 or later",
  "confidence": 0.85,
  "cve_ids": ["CVE-2024-21626"],
  "last_updated": "2026-04-25T00:00:00Z"
}
safe version

runc 1.4.2 is past CVE-2024-21626 and other known NVD ranges at last verification; re-run /v1/check after major NVD updates.

bash
curl "https://api.attestd.io/v1/check?product=runc&version=1.2.8" \
  -H "Authorization: Bearer $ATTESTD_KEY"
notable cves

CVE history

runc's CVE history is dominated by container escape vulnerabilities — cases where a process inside a container can reach the host filesystem, process table, or network namespace.

CVEDescriptionAffectsCVSS
CVE-2024-21626File descriptor leak via /proc/self/fd allows container escape to host filesystem. CISA KEV.< 1.1.128.6
CVE-2019-5736runc binary overwrite via /proc/self/exe from malicious container image.< 1.0-rc68.6
CVE-2021-30465Symlink-exchange race during volume mount allowing container rootfs escape.< 1.0.0-rc957.5
CVE-2022-29162Default seccomp profile did not block clone3 in some configurations.< 1.1.27.8
CVE-2023-25809rootless containers: cgroup file overwrite in some configurations.< 1.1.56.3
related
All productsDocker EnginecontainerdResponse Field Reference