We have issued an emergency advisory regarding CVE-2026-0923, an extremely severe vulnerability existing in popular container runtime environments. This flaw breaks the fundamental isolation boundary between a running container and its underlying host system.
Exploitation requires an attacker to execute a specially crafted binary within a container. Once initiated, the payload exploits a race condition during the runtime's file descriptor handling process, allowing the attacker to overwrite the host runC binary and achieve full root access to the entire cluster node.
Due to the widespread adoption of container orchestration platforms like Kubernetes, the surface area for this vulnerability is immense. If an attacker breaches a single low-privilege web container, they can seamlessly pivot to compromise the entire underlying worker node and subsequently attack the control plane.
Immediate mitigation requires upgrading the container runtime versions across all infrastructure. Until upgrades can be completed, security teams should implement strict eBPF-based runtime security monitoring to detect unauthorized execution attempts targeting the runC process.
Cloud Security Research
Research Lead