Skip to content
TopicTracker
From HackerNewsView original
TranslationTranslation

A reliable unprivileged container jail escape proof of concept for CentOs/RHEL

This repository provides a proof of concept demonstrating a reliable unprivileged container jail escape for CentOS/RHEL systems, exploiting IPv6 fragmentation handling to break out of a container environment.

Background

- This is a proof-of-concept exploit that shows how an attacker inside a Linux container can break out and access the host system by abusing a flaw in IPv6 fragment reassembly handling in the Linux kernel. The exploit works on CentOS/RHEL and was tested on kernel versions 3.10.0-1160 and up. - "Unprivileged container" means a container that is not running as root and is intended to have limited capabilities — making a jail escape from such a container is especially dangerous because it bypasses those supposed restrictions. - The vulnerability is tracked as CVE-2024-24855 (CVSS 7.5) and involves a race condition: the kernel incorrectly maps memory pages between the host and container network namespaces when reassembling fragmented IPv6 packets, allowing the attacker to write data to arbitrary host memory. - Containerization platforms like Docker, Podman, and Kubernetes commonly use the affected kernel component (called "raw socket" handling), making this a widespread security concern. - A proof-of-concept exploit demonstrating the flaw was publicly released on GitHub by researcher sgkdev in early 2025, along with a detailed write-up of the vulnerability.

Related stories