## https://sploitus.com/exploit?id=F42EA8D5-8BB3-5C73-9662-E2A97CF21670
# CVE-2026-Pending: Container Escape via runC maskPaths Vunlerability
**Severity:** Critical (CVSS 9.8)
**Component:** `opencontainers/runc` (libcontainer)
**Vulnerability Type:** CWE-59: Improper Link Resolution Before File Access ('Link Following')
## ๐จ Executive Summary
A critical vulnerability exists in `runc`'s `maskPaths` function. When masking sensitive paths (like `/proc/kcore`) inside a container, `runc` uses `os.OpenFile(path, O_PATH, 0)` without the `O_NOFOLLOW` flag. This allows a malicious container process to replace the target path with a symlink to a sensitive host file (e.g., `/etc/shadow`), causing `runc` to perform mount operations on the host file instead of the container path.
## ๐ฅ Exploit Proof of Concept
The included `exploit.go` demonstrates the kernel behavior that allows this bypass.
### Usage
Compile and run inside a Linux environment (or a container with `CAP_SYS_ADMIN` if testing recursion):
```bash
go run exploit.go
```
### Exploit Code Analysis
```go
// Vulnerable Code Pattern in runC:
// 1. Path is typically provided as a string (e.g. from config)
// 2. runC calls os.OpenFile(path, O_PATH...)
// 3. MISSING: unix.O_NOFOLLOW flag
// Result: Kernel follows symlink if attacker swapped the path.
```
## ๐ก๏ธ Remediation
**Patch Required:**
Update `libcontainer/rootfs_linux.go` to include `unix.O_NOFOLLOW` when opening destination paths for masking.
```diff
- dstFh, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC, 0)
+ dstFh, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC|unix.O_NOFOLLOW, 0)
```
## ๐ Repository Structure
- `exploit.go`: Functional PoC code in Go.
- `analysis.md`: Detailed technical breakdown of the race condition.
- `cve_draft.md`: Report template for submission.
**Disclaimer:** This code is for security research and educational purposes only.