gVisor Security Record

Vulnerabilities Defended by Year

An overview of high-impact Linux kernel vulnerabilities mitigated by gVisor over time.

Defended (96%)
Patched (3%)
Mitigatable (1%)
Vulnerable (0%)
1/1
2016
1/1
2017
1/1
2020
2/3
2021
16/17
2022
13/13
2023
19/20
2024
28/28
2025
~43
22/23
2026

Vulnerability Defense Database


This curated record is not a comprehensive list of all vulnerabilities, but focuses on high-impact CVEs relevant to production Kubernetes environments, specifically tracking critical threats highlighted in official Google Kubernetes Engine (GKE) security bulletins.

Defended

A race condition in mm/gup.c allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Insufficient data validation in waitid allowed an user to escape sandboxes on Linux.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux containers
Defended

Memory corruption in the Linux kernel packet socket (AF_PACKET) allows unprivileged processes to gain root privileges.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Patched

A symlink-exchange race condition in runc allows container filesystem breakout via directory traversal.

Mitigation Gap: `runsc` (gVisor) also handles mount paths similar to `runc` to prepare the container's rootfs
VM Runtime Prevented: No
Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

An integer overflow in fs/seq_file.c buffer allocations leads to an out-of-bounds write and root privilege escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A use-after-free flaw in the Linux kernel cgroup v1 parser allows local privilege escalation and container breakout.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A flaw was found in the way the 'flags' member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Integer Overflow or Wraparound vulnerability in io_uring of Linux Kernel allows local attacker to cause memory corruption and escalate privileges to root.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A use-after-free flaw was found in the Linux kernel’s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

In the Linux kernel, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
External mitigation required

A speculative execution vulnerability (Retbleed) in modern microprocessors allows unprivileged attackers to leak kernel memory.

Mitigation Gap: Hardware CPU vulnerability requiring microcode mitigation.
VM Runtime Prevented: No
Escalation Vector: Cross-customer data leak
Scope: AMD + Intel machines
Defended

Io_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

In io_identity_cow of io_uring.c, there is a possible way to corrupt memory due to a use after free.

Escalation Vector: Pod-to-guest escalation with root privs
Scope: All Linux VMs
Defended

There exists a use-after-free in io_uring in the Linux kernel.

Escalation Vector: Pod-to-guest escalation with root privs
Scope: All Linux VMs
Defended

It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free.

Escalation Vector: Pod-to-guest escalation with root privs
Scope: All Linux VMs
Defended

Io_uring UAF, Unix SCM garbage collection.

Escalation Vector: Pod-to-guest escalation with root privs
Scope: All Linux VMs
Defended

Moby is an open-source project created by Docker to enable and accelerate software containerization.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
No CVE assigned 7.8
Defended

Privilege escalation in io_uring

Escalation Vector: Pod-to-guest escalation with root privs
Scope: All Linux VMs
Defended

Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.

Escalation Vector: Pod-to-guest escalation
Scope: Container images using `libcurl`
Defended

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux containers
Defended

Privilege escalation due to use-after-free in kernel TLS

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

A use-after-free flaw was found in the netfilter subsystem of the Linux kernel.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Privilege escalation due to use-after-free in nf_tables

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Privilege escalation due to use-after-free in kernel TLS

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Privilege escalation due to use-after-free in kernel TLS

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Privilege escalation due to use-after-free in kernel TLS

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
No CVE assigned 7.8
Defended

Privilege escalation due to anonymous set in nf_tables

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
No CVE assigned 7.8
Defended

Privilege escalation due to race condition in nf_tables

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
No CVE assigned 7.8
Defended

Privilege escalation due to use-after-free in nf_tables

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
No CVE assigned 7.8
Defended

Privilege escalation in nft_verdict_init

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
No CVE assigned 8.8
Defended

Unsafe Python Pickle deserialization of ML models

Escalation Vector: Pod-to-guest escalation
Scope: ML API endpoints
No CVE assigned 7.8
Defended

Privilege escalations due to use-after-free in packet processing

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
No CVE assigned 7.8
Defended

Vulnerability in io_uring and SCM_RIGHTS

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Out-of-bounds access in eBPF verifier

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Privilege escalation due to use-after-free in kernel TLS

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Privilege escalation in net/packet / nf_tables

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Capabilities inheritance flaw in containerd 1.4

Escalation Vector: Pod-to-guest escalation
Scope: Containerd 1.4
Defended

Use-after-free flaw in Qdisc

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Patched

Bad handling of symlinks in malicious user-supplied image

Mitigation Gap: The flaw occurs outside of the container sandbox.
VM Runtime Prevented: Yes
Escalation Vector: Arbitrary host file read
Scope: OSS containers with GPU
Defended

Privilege escalation in netfilters

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Privilege escalation in netfilter

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Linux qdisc implementation flaw

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Vsock privilege escalation

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Local privilege escalation in qdisc

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Local privilege escalation in qdisc

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

ctstate RELATED iptables rule flaw

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Operations on net devices during unregister

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Local privilege escalation in qdisc

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Local privilege escalation in qdisc

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Local privilege escalation in qdisc

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

io_uring ring mapped supplied buffers vulnerability

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Use-after-free in HFSC packet scheduling

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Use-after-free in HFSC packet scheduling

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Race in PRIO qdisc

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Use-after-free in Qdisc

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Use-after-free in QFQ scheduling

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Use-after-free in xfrm interface

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Data corruption in Kernel TLS

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Use-after-free in net/packet

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Use-after-free in vsock

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Buffer overflow in Kernel TLS

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Data race in AF_ALG socket

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Data corruption in IPSec

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Use-after-free in IP Virtual Server

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Integer underflow in crypto

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Data race in GC alive socket receiver queue

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Data race deleting tunnel

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

NULL pointer dereference in authencesn

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Use-after-free in teql

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Use-after-free in nftables map

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Use-after-free in macvlan

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
No CVE assigned 7.8
Defended

Local privilege escalation in AppArmor

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
No CVE assigned 8.2
Patched

Read/write tenant data in shared GPU environments

VM Runtime Prevented: Yes
Escalation Vector: Local privilege escalation
Scope: NVIDIA GPUs
Defended

Use-after-free in nf_tables

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Denial of Service due to cleanup failure in nf_tables

Escalation Vector: Denial of Service
Scope: All Linux VMs
Defended

Local Denial of Service in netfilter

Escalation Vector: Denial of Service
Scope: All Linux VMs
Defended

Use-after-free in af_unix GC

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Local privilege escalation in snap-confine and systemd-tmpfiles

Escalation Vector: Pod-to-guest escalation
Scope: Ubuntu VMs
Defended

Use-after-free via race condition

Escalation Vector: Denial of Service
Scope: All Linux VMs
Defended

Use-after-free in netfilter

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Data structure mishandling in ipset

Escalation Vector: Network policy bypass
Scope: All Linux VMs
Defended

Use-after-free in IPv6 stack

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Chained attack in AF_ALG + splice syscall

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Use-after-free in packet_release via NETDEV_UP race

Escalation Vector: Denial of Service
Scope: All Linux VMs
Defended

Use-after-free in tls_do_encryption

Escalation Vector: Denial of Service
Scope: All Linux VMs
No CVE assigned 7.8
Defended

Linux bonding device vulnerability leading to container escape

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Improper handling of shared socket buffer (skb) fragments during Encapsulating Security Payload (ESP) decryption in the xfrm subsystem in the Linux kernel allows a local user to write to read-only page-cache pages, potentially leading to local privilege escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

GhostLock: A use-after-free vulnerability in the Linux kernel rtmutex implementation during futex_requeue operations allows local privilege escalation and container escapes.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

DirtyClone: Failure to properly propagate the SKBFL_SHARED_FRAG flag when cloning network packets in the Linux kernel allows local privilege escalation.

Escalation Vector: Pod-to-guest escalation
Scope: All Linux VMs
Defended

Januscape: A use-after-free vulnerability in the KVM shadow MMU code in the Linux kernel allows guest-to-host escape and privilege escalation to root.

Escalation Vector: Guest-to-host escalation
Scope: All Linux VMs