gVisor Security Record
Vulnerabilities Defended by Year
An overview of high-impact Linux kernel vulnerabilities mitigated by gVisor over time.
This curated record is not a comprehensive list of all vulnerabilities, but focuses on high-impact CVEs relevant to production Kubernetes environments, specifically tracking critical threats highlighted in official Google Kubernetes Engine (GKE) security bulletins.
Vulnerability Overview & Impact
A race condition in mm/gup.c allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Insufficient data validation in waitid allowed an user to escape sandboxes on Linux.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux containers
Vulnerability Overview & Impact
Memory corruption in the Linux kernel packet socket (AF_PACKET) allows unprivileged processes to gain root privileges.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A symlink-exchange race condition in runc allows container filesystem breakout via directory traversal.
Mitigation Gap: runsc (gVisor) also handles mount paths similar to runc to prepare the container's rootfs
VM Runtime Prevented: No
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
An integer overflow in fs/seq_file.c buffer allocations leads to an out-of-bounds write and root privilege escalation.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A use-after-free flaw in the Linux kernel cgroup v1 parser allows local privilege escalation and container breakout.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A flaw was found in the way the 'flags' member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
In the Linux kernel, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Integer Overflow or Wraparound vulnerability in io_uring of Linux Kernel allows local attacker to cause memory corruption and escalate privileges to root.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A use-after-free flaw was found in the Linux kernel’s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A speculative execution vulnerability (Retbleed) in modern microprocessors allows unprivileged attackers to leak kernel memory.
Mitigation Gap: Hardware CPU vulnerability requiring microcode mitigation.
VM Runtime Prevented: No
Escalation Vector: Cross-customer data leak
Target Ecosystem Scope: AMD + Intel machines
Vulnerability Overview & Impact
Io_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
There exists a use-after-free in io_uring in the Linux kernel.
Escalation Vector: Pod-to-guest escalation with root privs
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
In io_identity_cow of io_uring.c, there is a possible way to corrupt memory due to a use after free.
Escalation Vector: Pod-to-guest escalation with root privs
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free.
Escalation Vector: Pod-to-guest escalation with root privs
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Io_uring UAF, Unix SCM garbage collection.
Escalation Vector: Pod-to-guest escalation with root privs
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Moby is an open-source project created by Docker to enable and accelerate software containerization.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: Container images using libcurl
Vulnerability Overview & Impact
A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux containers
Vulnerability Overview & Impact
A use-after-free flaw was found in the netfilter subsystem of the Linux kernel.
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Privilege escalation due to use-after-free in kernel TLS
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Privilege escalation due to use-after-free in kernel TLS
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Privilege escalation due to use-after-free in kernel TLS
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Privilege escalation due to use-after-free in kernel TLS
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Privilege escalation due to use-after-free in nf_tables
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Privilege escalation in net/packet / nf_tables
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Out-of-bounds access in eBPF verifier
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Privilege escalation due to use-after-free in kernel TLS
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Capabilities inheritance flaw in containerd 1.4
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: Containerd 1.4
Vulnerability Overview & Impact
Use-after-free flaw in Qdisc
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Bad handling of symlinks in malicious user-supplied image
Mitigation Gap: The flaw occurs outside of the container sandbox.
VM Runtime Prevented: Yes
Escalation Vector: Arbitrary host file read
Target Ecosystem Scope: OSS containers with GPU
Vulnerability Overview & Impact
Privilege escalation in netfilters
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Linux qdisc implementation flaw
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Vsock privilege escalation
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Privilege escalation in netfilter
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Local privilege escalation in qdisc
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Local privilege escalation in qdisc
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
io_uring ring mapped supplied buffers vulnerability
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Local privilege escalation in qdisc
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Local privilege escalation in qdisc
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Local privilege escalation in qdisc
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
ctstate RELATED iptables rule flaw
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Operations on net devices during unregister
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in HFSC packet scheduling
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in HFSC packet scheduling
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Race in PRIO qdisc
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in Qdisc
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in QFQ scheduling
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in xfrm interface
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in net/packet
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in vsock
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Data corruption in Kernel TLS
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Buffer overflow in Kernel TLS
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Data race in AF_ALG socket
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Data corruption in IPSec
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in IP Virtual Server
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Integer underflow in crypto
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Data race in GC alive socket receiver queue
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Data race deleting tunnel
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
NULL pointer dereference in authencesn
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in teql
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in nftables map
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in macvlan
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in nf_tables
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Local privilege escalation in snap-confine and systemd-tmpfiles
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: Ubuntu VMs
Vulnerability Overview & Impact
Denial of Service due to cleanup failure in nf_tables
Escalation Vector: Denial of Service
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Local Denial of Service in netfilter
Escalation Vector: Denial of Service
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in af_unix GC
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free via race condition
Escalation Vector: Denial of Service
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in netfilter
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in IPv6 stack
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Data structure mishandling in ipset
Escalation Vector: Network policy bypass
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in packet_release via NETDEV_UP race
Escalation Vector: Denial of Service
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Use-after-free in tls_do_encryption
Escalation Vector: Denial of Service
Target Ecosystem Scope: All Linux VMs
Vulnerability Overview & Impact
Chained attack in AF_ALG + splice syscall
Escalation Vector: Pod-to-guest escalation
Target Ecosystem Scope: All Linux VMs