Understanding the Vulnerability
On February 11, 2019, security researchers disclosed CVE-2019-5736, a critical vulnerability in runC that allows a malicious container to overwrite the host's runC binary and gain root-level access to the server. This vulnerability affects every major container runtime using runC, including Docker, Kubernetes, and containerd.
The attack exploits runC's elevated privileges when managing containers. If an attacker can execute code inside a container, they can manipulate file descriptors to overwrite the runC binary on the host filesystem. When the next container operation occurs, the compromised binary executes with root privileges, giving the attacker full control of the host.
This is not a theoretical threat. Exploit code was publicly released on February 18, 2019, just seven days after disclosure, leaving organizations with a limited window to patch before exploitation became widespread.
Timeline of Events
February 11, 2019: CVE-2019-5736 disclosed; patches released for runC, Docker, and Kubernetes.
February 11-18, 2019: Organizations had a seven-day window to identify affected systems, test patches, and deploy updates before exploit code was released.
February 18, 2019: Public release of exploit code, lowering the skill threshold for attacks.
The rapid timeline created significant operational pressure. Your container infrastructure likely includes numerous nodes running containerized workloads. Patching them all within seven days while maintaining service availability required robust patch management or emergency response procedures.
Identifying Control Failures
This incident highlights three key control failures:
1. Default Privileged Containers
Docker containers run as privileged by default, prioritizing ease of use over security. This grants containers capabilities they rarely need, such as accessing host devices and manipulating kernel parameters. Most containerized applications don't require such access. Your web applications, API services, and batch jobs should run with minimal privileges.
2. Lack of Runtime Monitoring
Organizations often lack visibility into container behavior at runtime. While you might scan images for vulnerabilities before deployment, runtime security controls are necessary to detect escape attempts and unexpected process execution. The CVE-2019-5736 attack involves specific file operations against the host filesystem. Runtime security tools monitoring system calls and file access patterns would flag this behavior as anomalous.
3. Delayed Vulnerability Scanning and Patch Deployment
The seven-day window between disclosure and public exploit code was tight. Without continuous vulnerability scanning, organizations couldn't quickly identify which clusters, nodes, and images needed patching. Manual inventory processes don't scale when managing hundreds of container hosts.
Compliance Requirements
NIST 800-53 Rev 5 CM-7: Least Functionality
This control mandates configuring systems to provide only essential capabilities, prohibiting unnecessary functions. Running containers with default privileged access violates this principle. Grant elevated privileges only when necessary and document the justification.
NIST 800-53 Rev 5 SI-2: Flaw Remediation
Organizations must identify, report, and correct system flaws. SI-2(2) requires automated mechanisms to assess system components for flaw remediation. For container environments, this means automated scanning of base images, runtime environments, and orchestration components.
ISO/IEC 27001:2022 Annex A 8.8: Management of Technical Vulnerabilities
This control requires obtaining timely information about vulnerabilities, evaluating exposure, and taking appropriate measures. The seven-day timeline demands automated vulnerability intelligence feeds integrated with your container registry and orchestration platform.
PCI DSS v4.0.1 Requirement 6.3.3
For organizations processing payment card data, this requirement mandates identifying and addressing security vulnerabilities. Critical patches must be installed within a timeframe determined by the organization's risk ranking process, which for CVE-2019-5736 should have been days, not weeks.
Actionable Steps for Your Team
Audit Privileged Container Usage
Run the following command across your Kubernetes clusters to identify privileged pods:
kubectl get pods --all-namespaces -o json | \
jq '.items[] | select(.spec.containers[].securityContext.privileged==true) | .metadata.name'
Document why each privileged container requires elevated access. Create pod security policies that block privileged containers by default and require explicit approval for exceptions.
Implement Runtime Container Security
Deploy runtime security tools that monitor container behavior for escape attempts. Look for solutions that detect:
- Unexpected process execution patterns
- File access outside the container's mount namespace
- System calls indicating privilege escalation attempts
- Network connections to unexpected destinations
Tools like Falco, Sysdig, or Aqua Security provide runtime monitoring with predefined rules for container escape detection.
Automate Vulnerability Scanning in Your CI/CD Pipeline
Integrate container image scanning at multiple stages:
- Build time: Scan images before pushing to your registry
- Registry: Continuously scan stored images as new CVEs are disclosed
- Runtime: Scan running containers to detect drift from approved images
Tools like Trivy, Grype, or Anchore can integrate with Jenkins, GitLab CI, or GitHub Actions. Set policies to block deployment of images with critical vulnerabilities.
Create a Container-Specific Incident Response Runbook
Document your process for responding to container runtime vulnerabilities:
- How to identify affected clusters and nodes
- Testing process for patches
- Communication plan for maintenance windows
- Rollback procedures if patches cause service disruption
Test this runbook with tabletop exercises. The CVE-2019-5736 timeline didn't allow for improvisation.
Subscribe to Security Advisories for Your Container Stack
Set up monitoring for:
- runC security announcements
- Docker security advisories
- Kubernetes security mailing list
- Your container registry vendor's security notifications
Route these alerts to your security team's incident response channel. When the next container runtime vulnerability arises, you need to know within hours.
The CVE-2019-5736 incident demonstrated that container security involves more than scanning images for vulnerabilities. Your runtime configuration, privilege model, and patch deployment speed determine whether a disclosed vulnerability becomes a production incident. Default configurations optimized for developer convenience rarely align with security requirements. Your task is to close that gap before the next container escape vulnerability gives attackers root access to your infrastructure.



