container security

Rocky Linux 10.2 became generally available on May 29, 2026, as the newest community rebuild in the Enterprise Linux 10 family, tracking Red Hat Enterprise Linux 10.2 with Linux kernel 6.12 and a broad refresh of security, developer, desktop, container, virtualization, and installation...

CVE-2026-40226 is a systemd-nspawn container escape vulnerability, published in April 2026 and listed by Microsoft’s Security Response Center, affecting systemd versions 233 through 259 before the fixed 260 release and certain backported 257, 258, and 259 patch levels. The uncomfortable part is...

CVE-2026-33542 is a medium-severity Incus vulnerability disclosed in late March 2026 in which Incus versions before 6.23.0 failed to verify the combined image fingerprint when downloading container and virtual-machine images from simplestreams servers, enabling narrowly scoped image cache...

Microsoft released a fix on March 10, 2026 that addresses CVE-2026-26131, a .NET elevation‑of‑privilege (EoP) vulnerability caused by incorrect default permissions in installed .NET components — a problem Microsoft classifies as Important (CVSS 3.1 base score 7.8). The vendor’s servicing updates...

NVIDIA’s Container Toolkit contains a critical initialization-hook vulnerability that allows an attacker to execute arbitrary code with elevated privileges on the host, creating a realistic path to container escape, full node compromise, and broad operational impact for GPU-enabled clusters and...

A subtle mistake in how container runtimes set Linux process capabilities quietly opened a path to privilege escalation in early 2022: containers launched by some versions of Podman and Moby (the open-source project behind Docker Engine) were started with non-empty inheritable capabilities...

Microsoft’s short answer on its CVE page — that “Azure Linux includes this open‑source library and is therefore potentially affected” — is technically correct for the product Microsoft has inspected, but it is not an exclusivity guarantee and should not be read as proof that other...

A quietly serious flaw in the CRI‑O container runtime — tracked as CVE‑2022‑4318 — lets a crafted environment variable inject arbitrary lines into a container’s /etc/passwd, enabling admission‑validation bypasses and, in specific cluster configurations, a path to privilege escalation; the bug...

The container build toolchain that many organizations treat as a routine developer utility just produced a reminder: a single badly-validated path can break the isolation model that makes containers safe. In March 2024 Buildah (and downstream Podman Build) was assigned CVE-2024-1753 — a...

Podman’s kube play command contains a symlink traversal flaw that can let a malicious or compromised container cause Podman to overwrite arbitrary files on the host filesystem — a high‑severity integrity and availability risk that was fixed in Podman v5.6.1 but remains a critical operational...

A recent runc vulnerability, tracked as CVE-2024-45310, lets an attacker who can start containers with crafted volume configurations race the runtime into creating empty files or directories on the host filesystem — and Microsoft’s MSRC entry for the CVE states that Azure Linux “includes this...

Microsoft’s Security Response Center has recorded CVE-2025-65037 as a remote code execution (RCE) vulnerability affecting Azure Container Apps, and while vendor advisories confirm the identifier and affected product, public technical detail remains limited and defenders should treat this as a...

runc contains a newly disclosed local container escape and information-disclosure vulnerability (CVE-2025-31133) that abuses runc’s maskedPaths handling by exploiting mount/race conditions around bind-mounting the container’s /dev/null, and operators must treat hosts that run untrusted images or...

runc’s handling of procfs writes contains a dangerous race-and-redirect weakness that allows an attacker to bypass Linux Security Module (LSM) labels by misdirecting writes to fake or otherwise benign procfs files, creating a practical path to disable container confinement and to weaponize...

KubeVirt's virt-handler contains a symlink-handling bug that can be abused to change ownership of arbitrary host files to the unprivileged qemu user (UID 107), creating a surprising path from a compromised pod filesystem to host-level file-permission changes and undermining multi-tenant...

A newly disclosed memory-safety flaw in GNU Binutils 2.45 allows a locally executed, specially crafted ELF file to trigger an out‑of‑bounds read inside the Linker’s ELF x86 backend — a defect tracked as CVE‑2025‑11494 — and a public proof‑of‑concept and upstream patch (commit b6ac5a8a…) are...

October’s vulnerability headlines weren’t just noise — they forced emergency patching, accelerated government remediation orders, and exposed two persistent truths for Windows shops: trusted infrastructure is a prime target, and identity and container isolation are no longer “nice to have”...

Microsoft’s recent push to harden Azure Linux with a new “OS Guard” capability marks a notable shift in how cloud providers are thinking about host-level protections for container workloads, combining run‑time immutability, code integrity checks, and mandatory access control into an opinionated...

Siemens’ SINEC Traffic Analyzer has been the subject of a focused security disclosure cycle that culminated in a consolidated vendor advisory (SSA‑517338) and a republication through federal ICS channels, detailing a cluster of high‑to‑critical vulnerabilities that affect the product’s...

Siemens’ SINEC Traffic Analyzer—an on-premises PROFINET monitoring tool found in utilities, manufacturing, and energy networks—has been the subject of a sustained, multi-stage security disclosure that now spans multiple advisories and several high-severity CVEs. The vendor (Siemens ProductCERT)...