container security

NVIDIA’s Container Toolkit contains a critical initialization-hook vulnerability that allows an attacker to execute arbitrary code with elevated privileges on the host, creating a realistic path to container escape, full node compromise, and broad operational impact for GPU-enabled clusters and...

A subtle mistake in how container runtimes set Linux process capabilities quietly opened a path to privilege escalation in early 2022: containers launched by some versions of Podman and Moby (the open-source project behind Docker Engine) were started with non-empty inheritable capabilities...

Microsoft’s short answer on its CVE page — that “Azure Linux includes this open‑source library and is therefore potentially affected” — is technically correct for the product Microsoft has inspected, but it is not an exclusivity guarantee and should not be read as proof that other...

A quietly serious flaw in the CRI‑O container runtime — tracked as CVE‑2022‑4318 — lets a crafted environment variable inject arbitrary lines into a container’s /etc/passwd, enabling admission‑validation bypasses and, in specific cluster configurations, a path to privilege escalation; the bug...

The container build toolchain that many organizations treat as a routine developer utility just produced a reminder: a single badly-validated path can break the isolation model that makes containers safe. In March 2024 Buildah (and downstream Podman Build) was assigned CVE-2024-1753 — a...

Podman’s kube play command contains a symlink traversal flaw that can let a malicious or compromised container cause Podman to overwrite arbitrary files on the host filesystem — a high‑severity integrity and availability risk that was fixed in Podman v5.6.1 but remains a critical operational...

A recent runc vulnerability, tracked as CVE-2024-45310, lets an attacker who can start containers with crafted volume configurations race the runtime into creating empty files or directories on the host filesystem — and Microsoft’s MSRC entry for the CVE states that Azure Linux “includes this...

Microsoft’s Security Response Center has recorded CVE-2025-65037 as a remote code execution (RCE) vulnerability affecting Azure Container Apps, and while vendor advisories confirm the identifier and affected product, public technical detail remains limited and defenders should treat this as a...

runc contains a newly disclosed local container escape and information-disclosure vulnerability (CVE-2025-31133) that abuses runc’s maskedPaths handling by exploiting mount/race conditions around bind-mounting the container’s /dev/null, and operators must treat hosts that run untrusted images or...

runc’s handling of procfs writes contains a dangerous race-and-redirect weakness that allows an attacker to bypass Linux Security Module (LSM) labels by misdirecting writes to fake or otherwise benign procfs files, creating a practical path to disable container confinement and to weaponize...

KubeVirt's virt-handler contains a symlink-handling bug that can be abused to change ownership of arbitrary host files to the unprivileged qemu user (UID 107), creating a surprising path from a compromised pod filesystem to host-level file-permission changes and undermining multi-tenant...

A newly disclosed memory-safety flaw in GNU Binutils 2.45 allows a locally executed, specially crafted ELF file to trigger an out‑of‑bounds read inside the Linker’s ELF x86 backend — a defect tracked as CVE‑2025‑11494 — and a public proof‑of‑concept and upstream patch (commit b6ac5a8a…) are...

October’s vulnerability headlines weren’t just noise — they forced emergency patching, accelerated government remediation orders, and exposed two persistent truths for Windows shops: trusted infrastructure is a prime target, and identity and container isolation are no longer “nice to have”...

Microsoft’s recent push to harden Azure Linux with a new “OS Guard” capability marks a notable shift in how cloud providers are thinking about host-level protections for container workloads, combining run‑time immutability, code integrity checks, and mandatory access control into an opinionated...

Siemens’ SINEC Traffic Analyzer has been the subject of a focused security disclosure cycle that culminated in a consolidated vendor advisory (SSA‑517338) and a republication through federal ICS channels, detailing a cluster of high‑to‑critical vulnerabilities that affect the product’s...

Siemens’ SINEC Traffic Analyzer—an on-premises PROFINET monitoring tool found in utilities, manufacturing, and energy networks—has been the subject of a sustained, multi-stage security disclosure that now spans multiple advisories and several high-severity CVEs. The vendor (Siemens ProductCERT)...

The launch of Thorium, the open-source malware analysis platform unveiled by the Cybersecurity and Infrastructure Security Agency (CISA), marks a significant milestone in the evolution of threat intelligence and response capabilities for organizations worldwide. With cyberattacks growing in...

In an age where artificial intelligence is rapidly transforming enterprise workflows, even the most lauded tools are not immune to the complex threat landscape that continues to evolve in parallel. The recent revelation of a root access exploit in Microsoft Copilot—a flagship AI assistant...

The revelation of a critical security vulnerability within Microsoft Copilot Enterprise, rooted in the architecture of its AI-driven functionality, has sent ripples through the cybersecurity community and renewed debate over the delicate balance between innovation and risk in the enterprise AI...

July 2025 emerged as a sobering reminder of the relentless escalation in both the sophistication and scale of global cybersecurity threats. Critical vulnerabilities in ubiquitous platforms like Google Chrome, SharePoint, NVIDIA’s container technology, and core enterprise appliances have been...