On January 31, 2024, the container runtime community disclosed CVE-2024-21626 — a vulnerability in runc, the OCI-standard container runtime used by Docker, containerd, Kubernetes, and virtually every container platform in production. The vulnerability allowed a malicious container image to escape its container boundary and gain full access to the host filesystem. The attack exploited a race condition in how runc handled the /proc/self/fd directory during container initialization: by manipulating the working directory of the container process, an attacker could break out of the filesystem namespace and traverse to the host’s root filesystem.
The vulnerability affected every version of runc prior to 1.1.12. It affected every Kubernetes cluster. It affected every Docker installation. It affected every cloud provider’s managed container service — EKS, GKE, AKS — that had not yet received the patch. Snyk’s analysis estimated that the vulnerability was present in over 80% of production container environments at the time of disclosure.
CVE-2024-21626 was not exceptional. It was routine. The Linux kernel — which containers share with the host and with each other — has averaged 40-60 CVEs per year over the past five years. Between 2019 and 2025, NIST’s National Vulnerability Database recorded 17 container escape vulnerabilities rated Critical (CVSS 9.0+). Each one granted an attacker the ability to escape from a container and access the host system, including all other containers running on that host.
Container escapes are not bugs to be patched. They are a structural consequence of the container isolation model — a model that shares a kernel across trust boundaries and relies on the correctness of that kernel to enforce isolation. For privacy-sensitive workloads, this architecture is fundamentally unsuitable.
How Container Isolation Works
A Linux container is not a virtual machine. It is a Linux process (or group of processes) with restricted views of the host system, enforced by three kernel mechanisms:
Namespaces
Linux namespaces partition kernel resources so that each container has its own view of the system:
- PID namespace: Each container sees only its own processes. Process ID 1 inside the container is not PID 1 on the host.
- Mount namespace: Each container has its own filesystem mount table. The container’s root filesystem is isolated from the host’s.
- Network namespace: Each container has its own network interfaces, routing tables, and firewall rules.
- UTS namespace: Each container has its own hostname.
- IPC namespace: Each container has its own inter-process communication resources (shared memory, semaphores).
- User namespace: Each container can map UIDs/GIDs independently of the host. Root inside the container (UID 0) can be mapped to an unprivileged user on the host.
cgroups
Control groups (cgroups) limit the resources a container can consume: CPU time, memory, I/O bandwidth, number of processes. cgroups prevent a container from starving the host or other containers of resources but do not enforce isolation — they enforce quotas.
Seccomp-BPF
Seccomp (Secure Computing Mode) with BPF (Berkeley Packet Filter) programs restricts which system calls a container can make. Docker’s default seccomp profile blocks approximately 50 of the kernel’s 450+ system calls — those considered most dangerous, including mount, kexec_load, reboot, and bpf. The remaining 400+ system calls are available to container code.
The Shared Kernel
All three mechanisms are enforced by the same Linux kernel. The kernel is shared between the host and all containers. Every system call from every container is processed by the same kernel code. A vulnerability in any of the 400 permitted system calls — in the kernel’s implementation of network protocols, filesystem handling, memory management, or namespace logic — potentially compromises the isolation of every container on the host.
This is the architectural weakness. The kernel is the single largest codebase in the Linux operating system: over 30 million lines of code as of kernel 6.8. The system call interface is the single largest attack surface available to container code. The security of container isolation depends on the correctness of all 30 million lines — a standard that no software project in history has achieved.
A Taxonomy of Container Escapes
Type 1: Namespace Escapes
Namespace escapes exploit bugs in the kernel’s namespace implementation to break out of the container’s restricted view.
CVE-2024-21626 (runc, 2024). The attack exploited a file descriptor leak in the /proc/self/fd directory during container initialization. By setting the container’s working directory to a leaked file descriptor pointing to the host filesystem, the attacker’s container processes could access the host’s root filesystem, read and write arbitrary files, and execute arbitrary commands on the host.
CVE-2019-5736 (runc, 2019). A malicious container could overwrite the host runc binary by exploiting the way runc opened /proc/self/exe during container exec operations. Once the runc binary was overwritten, any subsequent container operation on the host executed the attacker’s code with root privileges.
Both vulnerabilities shared a common pattern: the container runtime (runc) temporarily broke isolation during container lifecycle operations (initialization, exec), and the attacker exploited the brief window of reduced isolation.
Type 2: Kernel Privilege Escalation
These escapes exploit kernel vulnerabilities accessible from within a container to gain kernel-level code execution on the host.
CVE-2022-0185 (Linux kernel, 2022). A heap overflow in the kernel’s filesystem context handling (fs_context) allowed an attacker inside a container (with CAP_SYS_ADMIN in the container’s user namespace) to write arbitrary data to kernel memory. The exploit escalated from container to host root in under 1 second. The vulnerability existed in the legacy_parse_param function, which did not properly validate the length of filesystem mount parameters.
CVE-2021-31440 (Linux kernel, 2021). A vulnerability in the eBPF verifier allowed an attacker to bypass bounds checking in eBPF programs, gaining arbitrary kernel memory read/write from within a container. eBPF — designed as a safe in-kernel execution framework — became the attack vector because the verifier failed to track certain register values correctly.
Dirty Pipe (CVE-2022-0847, Linux kernel, 2022). A bug in the kernel’s pipe buffer handling allowed any unprivileged user (including processes inside a container) to overwrite arbitrary data in read-only files, including files owned by root. An attacker could overwrite /etc/passwd on the host through the container’s mount namespace if any shared filesystem was present.
Type 3: cgroup Escapes
cgroup escapes exploit the kernel’s cgroup implementation to break out of resource restrictions and gain host-level access.
CVE-2022-0492 (Linux kernel, 2022). A privilege escalation in the cgroup v1 release_agent feature allowed a container process to write to the host’s cgroup release_agent file, which is executed by the kernel when the cgroup becomes empty. The attacker could inject arbitrary commands that would be executed on the host with root privileges when the container’s cgroup was cleaned up.
This vulnerability was particularly insidious because the release_agent mechanism is a kernel feature, not a bug — the exploitation was the intended use of the mechanism, invoked from an unintended context (inside a container that should not have had write access to host cgroup files).
Type 4: Side-Channel Attacks
Even without escaping the container, an attacker sharing a host with another tenant can extract sensitive information through shared hardware resources.
L1 Terminal Fault (L1TF, 2018). An Intel-specific vulnerability that allowed an attacker to read data from the L1 data cache of another virtual machine or container on the same physical core. The attack exploited speculative execution to read memory belonging to other security domains.
Spectre variants. Multiple Spectre variants have demonstrated cross-container data leakage through shared CPU caches, branch predictors, and speculative execution buffers. Mitigations (retpoline, IBRS, STIBP) impose 2-15% performance overhead and do not eliminate all variants.
For privacy-sensitive workloads, side-channel attacks are particularly concerning because they do not require a container escape — the attacker reads data from a co-located tenant without ever leaving their own container. The shared physical hardware is the vulnerability.
The Multi-Tenancy Problem
Public cloud infrastructure is inherently multi-tenant. Multiple customers share physical servers, network switches, and storage arrays. Container orchestration platforms (Kubernetes) commonly schedule pods from different tenants on the same node.
AWS EKS, Google GKE, and Azure AKS provide managed Kubernetes where the control plane is operated by the cloud provider, but the worker nodes (where container workloads execute) are shared among the customer’s workloads — and in some configurations, among multiple customers.
A 2024 study by Wiz Research found that 60% of Kubernetes clusters in their dataset had at least one container running with elevated privileges (CAP_SYS_ADMIN, hostPID, hostNetwork, or privileged mode). These elevated privileges dramatically increase the impact of any kernel vulnerability: a container with CAP_SYS_ADMIN can exploit a broader range of kernel attack surfaces than a container with the default capability set.
The privacy implication is direct. If tenant A’s container escapes to the host, tenant A can access tenant B’s container memory, filesystems, network traffic, and environment variables. In a cloud environment where tenant B is processing sensitive data — financial records, medical information, legal communications, AI prompts — the escaped container has access to all of it.
Mitigations and Their Limits
Runtime Sandboxing
gVisor, Firecracker, and Kata Containers provide stronger isolation than standard containers by interposing an additional boundary between the container and the host kernel.
gVisor intercepts system calls in userspace, reducing the host kernel’s exposure from 400+ syscalls to approximately 70. Firecracker and micro-VMs provide hardware-isolated VMs with a 5 MB overhead per VM, eliminating kernel sharing entirely.
These mitigations are effective but not universally deployed. Google uses gVisor for Cloud Run and Cloud Functions. AWS uses Firecracker for Lambda and Fargate. But the majority of Kubernetes workloads — the hundreds of millions of pods running on EKS, GKE, and AKS — run on shared kernels with standard container isolation.
Seccomp Hardening
Tightening seccomp profiles reduces the kernel attack surface available to container code. Docker’s default profile blocks ~50 syscalls. A custom profile can reduce the allowed set to 100-150 syscalls for most applications. The limit is application compatibility — blocking a syscall that the application requires causes a crash.
Even hardened seccomp profiles leave hundreds of syscalls available. Each permitted syscall is a potential entry point for kernel exploitation. Seccomp reduces the probability of exploitation but cannot eliminate it.
Pod Security Standards
Kubernetes Pod Security Standards (PSS) define three levels — Privileged, Baseline, and Restricted — that constrain the security context of pods. The Restricted level prohibits privileged containers, host namespace access, and most dangerous capabilities.
PSS adoption remains partial. The same Wiz Research study found that only 28% of clusters enforced the Restricted PSS level. The Baseline level, which still permits several dangerous configurations, was enforced in an additional 31%. And 41% of clusters had no PSS enforcement at all.
Node Isolation
The most effective mitigation for multi-tenant container workloads: dedicate physical nodes to individual tenants. AWS Fargate, Google Cloud Run, and Azure Container Instances provide per-customer isolation at the VM level — each customer’s containers run in dedicated Firecracker VMs or gVisor sandboxes, eliminating cross-tenant kernel sharing.
The cost is efficiency. Dedicated node allocation wastes capacity when tenants’ workloads do not fully utilize their allocated resources. The cloud providers absorb this cost by overprovisioning — running more physical servers than would be necessary with full multi-tenancy — and passing the cost to customers through higher per-unit pricing.
Container Escapes as Privacy Breaches
The standard framing of container escapes is as a security incident: the attacker gains unauthorized access. The privacy framing is different and, for many organizations, more significant: the container escape exposes the contents of other tenants’ computations.
Consider a Kubernetes cluster processing AI inference workloads for multiple customers. Customer A sends a prompt containing proprietary business strategy. Customer B sends a prompt containing medical symptoms. Customer C sends a prompt containing legal case details. All three prompts are processed in containers on the same node, sharing the same kernel.
A container escape from any one of these containers exposes the others’ data. The attacker does not need to target a specific victim — they gain access to everything on the node. In a high-density Kubernetes deployment, a single node may host 50-100 pods, each belonging to a different customer or processing different sensitive workloads.
The remediation for a container escape is not just patching the vulnerability. It is determining what data was exposed — which, on a multi-tenant node, is potentially everything that was processed on that node during the window of compromise. For privacy-regulated data (GDPR, HIPAA, FERPA), this triggers notification obligations, regulatory reporting, and potential fines.
GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach. Determining the scope of exposure from a container escape on a multi-tenant node — which requires auditing every workload that ran on that node during the vulnerability window — is a forensic exercise that can take weeks. The 72-hour clock starts ticking regardless.
The Alternative: Isolation by Default
The container escape problem is not solvable within the container model. It is a consequence of sharing a kernel across trust boundaries. The solution is not better containers — it is a different isolation model.
V8 isolates eliminate the shared kernel problem by running code inside the V8 JavaScript engine, which does not share a kernel with other isolates (all isolates run within the same process, but V8’s memory isolation prevents cross-isolate access without any kernel involvement). The attack surface is the V8 engine, not the Linux kernel. V8 processes trillions of untrusted inputs per day across Chrome browsers and has been hardened by Google’s security team for over 15 years.
Confidential computing — Intel TDX, AMD SEV-SNP — provides hardware-enforced memory isolation where the hypervisor itself cannot read the contents of the tenant’s VM. A container escape from one VM cannot read the memory of another VM because the CPU’s hardware encryption prevents it.
Ephemeral infrastructure reduces the impact of any isolation failure by minimizing the duration of the exposure. A workload that exists for 200 ms and leaves no persistent state offers a 200 ms attack window. A workload that runs continuously on a shared node for days or weeks offers a correspondingly larger window.
The progression is clear: from shared kernels (containers) to sandboxed runtimes (gVisor, V8 isolates) to hardware-isolated enclaves (TDX, SEV-SNP) to ephemeral compute (per-request lifecycle with cryptographic shredding). Each step reduces the trust placed in shared infrastructure and the impact of a breach in that infrastructure.
The Stealth Cloud Perspective
Stealth Cloud does not use containers. This is not a cost optimization or a simplicity preference. It is a security and privacy decision rooted in the structural analysis above.
Our compute layer is Cloudflare Workers — V8 isolates running at 330+ edge locations globally. The V8 isolate model eliminates the entire container escape vulnerability class. There is no shared kernel. There are no system calls. There is no filesystem to traverse. There is no runc to exploit. There is no cgroup release_agent to hijack. The 17 Critical container escape CVEs from 2019-2025 are irrelevant to our architecture because the attack surface they target does not exist.
The isolate processes each request independently: decrypt the client’s AES-256-GCM payload, strip PII, proxy the sanitized prompt to the LLM provider, re-encrypt the response, and terminate. The isolation is enforced by V8’s memory model, not by kernel namespaces. The data persistence is zero, not because we configured logging correctly, but because the runtime has no persistence mechanism.
If a hypothetical V8 vulnerability allowed cross-isolate memory access — a severe event, given V8’s security track record — the attacker would access the memory of another isolate processing a different request. That memory contains a PII-stripped, encrypted payload in transit. The exposure is bounded to a single request’s sanitized content for a single moment in time. Compared to a container escape that exposes days of data from dozens of co-located tenants, the impact is fundamentally different in magnitude.
Shared infrastructure is a privacy risk. The magnitude of that risk depends on what is shared (kernel, hardware, process), for how long (persistent vs. ephemeral), and what the shared infrastructure contains (cleartext vs. encrypted, identified vs. anonymized). The container model shares the most dangerous component (the kernel), for the longest duration (continuous), with the least protection (cleartext in many deployments). The zero-trust isolate model shares the least dangerous component (a hardened engine), for the shortest duration (per-request), with the strongest protection (encrypted, PII-stripped, ephemeral). That difference is the difference between an architecture that hopes containers do not escape and an architecture that does not care if they do.