CVE-2021-43784 [Medium] | Integer Overflow in Runc

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.13%	1.66%	+1.53%
2	2025-11-21	1.31%	0.13%	-1.18%
3	2025-11-18	—	1.31%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.13%

1.66%

+1.53%

2025-11-21

1.31%

0.13%

-1.18%

2025-11-18

—

1.31%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.0	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:L) Might cause slowdowns, glitches, or partial disruption—not a full brick.	1.8	3.7	[email protected]
5.0	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:L) Might cause slowdowns, glitches, or partial disruption—not a full brick.	1.6	3.4	[email protected]
6.0	2.0	MEDIUM	`AV:N/AC:M/Au:S/C:P/I:P/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:S) A single authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	6.8	6.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.0

3.1

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L): Might cause slowdowns, glitches, or partial disruption—not a full brick.

1.8

3.7

[email protected]

5.0

3.1

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L): Might cause slowdowns, glitches, or partial disruption—not a full brick.

1.6

3.4

[email protected]

6.0

2.0

MEDIUM

AV:N/AC:M/Au:S/C:P/I:P/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:S): A single authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

6.8

6.4

[email protected]

OS Trackers for CVE-2021-43784

vendor	priority	summary	link
`alpine`	—	CVE-2021-43784: 1 source package rows (runc); 16 state rows across 7 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 7, open 9.	https://security.alpinelinux.org/vuln/CVE-2021-43784
`debian`	not yet assigned	CVE-2021-43784 not yet assigned priority: Debian including 1 source packages (runc), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2021-43784
`gentoo`	normal	CVE-2021-43784: 1 GLSA(s) (202408-25), 1 atom(s) (app-containers/runc); latest impact normal.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2021-43784
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2021-43784
`ubuntu`	low	CVE-2021-43784 low priority: Ubuntu including 1 source packages (runc), 15 status rows across 15 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 9, ignored 3, released 2, needed 1.	https://ubuntu.com/security/CVE-2021-43784

Affected software / configurations for CVE-2021-43784

Vendor	Product	Version	Raw CPE
linuxfoundation	runc	< 1.0.3	cpe:2.3:a:linuxfoundation:runc::::::::
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*

References for CVE-2021-43784

URL	Tags
https://bugs.chromium.org/p/project-zero/issues/detail?id=2241	Exploit Third Party Advisory
https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554	Patch Third Party Advisory
https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae	Patch Third Party Advisory
https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed	Patch Third Party Advisory
https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html

URL

CVE-2021-43784 | Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration

Public exploit references (Exploit-DB) for CVE-2021-43784

Exploit prediction scoring system (EPSS) score for CVE-2021-43784

Common vulnerability scoring system (CVSS) metrics for CVE-2021-43784

Weakness enumeration for CVE-2021-43784

GitHub Security Advisory for CVE-2021-43784

OS Trackers for CVE-2021-43784

Affected software / configurations for CVE-2021-43784

References for CVE-2021-43784