Mitigating Leaky Vessels Vulnerabilities in runc, BuildKit and Moby

On January 31, 2024, researchers disclosed four high‑severity container vulnerabilities impacting runc, BuildKit, Moby (Docker Engine), and Docker Desktop that can enable full container escape and host remote code execution when malicious images or Dockerfiles are built or run; the report details affected versions, exploitation techniques (e.g., crafted WORKDIR to /proc/self/fd/[ID], BuildKit mount cache race, GRPC SecurityMode privilege bypass, arbitrary delete via RUN --mount), recommended patches and mitigations (upgrade to the listed patched versions, use trusted images), and how Aqua Security’s CNAPP/Trivy and runtime controls detect and mitigate exploitation attempts.