All news with #container escape tag

🔒 Microsoft Defender disclosed a patched vulnerability in the EngageLab SDK that could allow co‑located apps on an Android device to bypass the system sandbox and access private app data. The issue, introduced in version 4.5.4 and characterized as an intent redirection vulnerability, affected many cryptocurrency and wallet apps—wallet installations exceeded 30 million and total installs topped 50 million. EngageLab released version 5.2.1 in November 2025 after a responsible disclosure in April 2025; detected vulnerable apps were removed from Google Play and developers are urged to update immediately.

🛡️ Qualys TRU has disclosed 'CrackArmor,' a set of nine AppArmor vulnerabilities present since Linux kernel 4.11 (2017). These AppArmor flaws allow local, unprivileged users to manipulate security profiles via kernel pseudo-files, enabling local privilege escalation, container isolation bypass, Denial-of-Service and potential kernel-memory exposure. Qualys developed proof-of-concept exploits but has not publicly released the code to limit risk. Organizations should prioritize applying vendor kernel updates and scanning for affected systems.

⚠ Qualys disclosed nine critical vulnerabilities in AppArmor, the Linux Security Module enabled by default on Ubuntu, Debian, and SUSE. Dubbed “CrackArmor,” the flaws date back to the Linux 4.11 kernel and allow an unprivileged local user to manipulate profiles to gain full root, escape containers, or crash systems. Qualys estimates over 12.6 million exposed enterprise instances and emphasizes immediate kernel patching; fixes have been landed upstream in coordination with major distro maintainers.

🔒 CISA confirmed ransomware gangs are exploiting a high-severity VMware ESXi sandbox escape (CVE-2025-22225) patched by Broadcom in March 2025 alongside related fixes. The vulnerability permits an attacker with privileges in the VMX process to trigger an arbitrary kernel write and escape the virtual machine sandbox. Organizations are urged to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue affected products if mitigations are unavailable.

🔒 Researchers disclosed 11 critical vulnerabilities in Coolify, an open-source self-hosting platform, including multiple authenticated command injections, remote code execution, container escape and an information disclosure of the root SSH private key. Several issues carry CVSS scores of 9.4–10.0 and allow attackers with low or moderate privileges to execute arbitrary commands as root or obtain persistent access. Operators should upgrade to patched releases or apply vendor mitigations immediately.

⚠ Three high-severity vulnerabilities in the runc container runtime allow attackers to escape containers and gain host-level privileges by abusing masked paths, console bind-mounts, and redirected writes to procfs. Aleksa Sarai of SUSE and the OCI described logic flaws that let runc mount or write to sensitive /proc targets, including /proc/sys/kernel/core_pattern and /proc/sysrq-trigger. Patches are available in runc 1.2.8, 1.3.3 and 1.4.0-rc.3; administrators should update promptly, favor rootless containers where feasible, and monitor for suspicious symlink behaviour.

⚠️ Three newly disclosed vulnerabilities in runC (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) could allow attackers to bypass container isolation and obtain root write access on the host. The issues involve manipulated bind mounts and redirected writes to /proc, and one flaw affects runC releases back to 1.0.0-rc3. Patches are available in recent runC releases; administrators should update, monitor for suspicious symlink/mount activity, and consider enabling user namespaces or running rootless containers as mitigations.

🚨Docker has released an urgent patch for CVE-2025-9074, a critical container escape flaw in Docker Desktop for Windows and macOS that carries a CVSS score of 9.3. A malicious container could reach the Docker Engine API at 192.168.65.7:2375 without authentication, create and start new containers that bind the host C:\ drive and thereby access or modify host files. The issue is fixed in version 4.44.3; Enhanced Container Isolation (ECI) does not mitigate the vulnerability. Linux desktop installations are not affected because they use a host named pipe instead of a TCP socket.