惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

雷峰网
雷峰网
宝玉的分享
宝玉的分享
I
InfoQ
P
Privacy International News Feed
V
V2EX
IT之家
IT之家
S
SegmentFault 最新的问题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V2EX - 技术
V2EX - 技术
C
CERT Recently Published Vulnerability Notes
C
Check Point Blog
The Register - Security
The Register - Security
爱范儿
爱范儿
博客园 - 三生石上(FineUI控件)
AWS News Blog
AWS News Blog
M
MIT News - Artificial intelligence
C
Cyber Attacks, Cyber Crime and Cyber Security
F
Fortinet All Blogs
B
Blog
N
Netflix TechBlog - Medium
B
Blog RSS Feed
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Last Week in AI
Last Week in AI
T
Threatpost
Forbes - Security
Forbes - Security
U
Unit 42
A
Arctic Wolf
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recorded Future
Recorded Future
L
Lohrmann on Cybersecurity
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Proofpoint News Feed
月光博客
月光博客
Spread Privacy
Spread Privacy
MongoDB | Blog
MongoDB | Blog
Jina AI
Jina AI
I
Intezer
V
Visual Studio Blog
阮一峰的网络日志
阮一峰的网络日志
The Hacker News
The Hacker News
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
LangChain Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园_首页
MyScale Blog
MyScale Blog
腾讯CDC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
量子位

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
I built a container escape audit tool — here's what v4.0 adds
Liam Romanis · 2026-06-01 · via DEV Community

canonical_url: https://github.com/liamromanis101/K8s-container_escape_audit

Container security tooling tends to fall into two camps: heavyweight scanners that run outside the container before deployment, and ad-hoc one-liners you paste into a shell when something looks wrong. container_escape_audit.sh sits in neither — it runs inside a live container, checks the actual runtime environment, and tells you exactly what an attacker who just landed in that container would be looking at.

Version 4.0 adds 12 kernel hardening checks, a config-driven CVE engine, and a database of 10 current kernel CVEs — including three that are actively exploited in the wild right now. This post walks through what's new and why the config-driven approach matters.

Repo: github.com/liamromanis101/K8s-container_escape_audit


The quick version

# grab both files
curl -sO https://raw.githubusercontent.com/liamromanis101/K8s-container_escape_audit/main/container_escape_audit.sh
curl -sO https://raw.githubusercontent.com/liamromanis101/K8s-container_escape_audit/main/cve_checks.conf
chmod +x container_escape_audit.sh
./container_escape_audit.sh

It runs in 15–45 seconds, writes a structured report, and exits. No installation. No root required (though running as root inside the container gives you more complete results). Nothing is written to the system — every check is read-only.

Output looks like this:

[CRIT]  Container appears PRIVILEGED (CapEff=0000003fffffffff)
[CRIT]  VULNERABLE to Copy Fail (CVE-2026-31431) — AEAD socket bindable, kernel 6.1.112
[WARN]  kptr_restrict=1 — kernel pointers visible to root processes
[WARN]  Unprivileged user namespaces enabled (kernel.unprivileged_userns_clone=1)
[ OK ]  cgroup v2 subtree_control is not writable
[ OK ]  No readable SSH private keys found

==================== SUMMARY ====================
  [CRITICAL] Container is running in privileged mode
  [CRITICAL] Copy Fail (CVE-2026-31431) AF_ALG exposure — CRITICAL [ITW] [CISA-KEV]
  [HIGH    ] kptr_restrict=1: kernel pointers visible to root
  [HIGH    ] Unprivileged user namespace creation is enabled

  CRITICAL: 2  |  HIGH: 5  |  MEDIUM: 3  |  INFO: 4

Every finding in the full report has four fields: what it is, impact, exploitability, and recommendation.


What it checks

The script runs 47 checks across four sections plus the CVE engine.

Checks 1–23 are the classic container escape vectors most people are familiar with — privileged mode, dangerous capabilities, host namespace sharing, dangerous mounts, /proc exposure, Kubernetes service account tokens, writable cron and auth files, runtime sockets, SUID binaries, and so on.

Checks 24–35 cover newer runtime attack surface: NVIDIAScape (CVE-2025-23266), the runc masked-path race trio (CVE-2025-31133/-52565/-52881), eBPF exposure, debugfs, Kubernetes RBAC active probing via SelfSubjectAccessReview, kernel keyring access, OCI hook injection paths, page cache write primitives (splice + pipe2), and procfs namespace FD leakage.

Checks 36–47 are new in v4.0 — kernel hardening posture. More on these below.

The CVE engine reads cve_checks.conf and runs compound checks against each entry. Also new in v4.0.


New: kernel hardening checks

When you're auditing a container, you're looking at the host kernel's sysctl values too — they reflect directly what mitigations are and aren't active. All of these are read from /proc/sys with no writes, no side effects.

The ones that tend to be most impactful in practice:

kernel.kptr_restrict — if this is 0, every user on the box can read kernel symbol addresses from /proc/kallsyms. That's an instant KASLR bypass. Most exploits against kernel vulnerabilities need an address leak as step one; when kptr_restrict=0 you skip that step entirely. It should be 2.

kernel.unprivileged_userns_clone — unprivileged user namespaces are the prerequisite for the majority of container escape CVEs published since 2019. Flipping Pages (CVE-2024-1086), the Packet Socket Race (CVE-2025-38617), Copy Fail, Dirty Frag — all of them either require user namespaces or become significantly easier with them. Setting this to 0 on hosts that don't need rootless containers removes a huge amount of attack surface in one sysctl.

kernel.perf_event_paranoid — at value 0 or -1, unprivileged processes can access kernel-level performance counters. This is the foundation of Spectre-class side-channel attacks and enables cross-container information leakage on shared CPU nodes. It should be at least 2.

fs.protected_symlinks and fs.protected_hardlinks — classic /tmp race conditions. Still come up regularly in privilege escalation chains. Both should be 1.

The full list in v4.0:

# Parameter Recommended
36 kernel.kptr_restrict 2
37 kernel.dmesg_restrict 1
38 kernel.randomize_va_space 2
39 fs.protected_symlinks / fs.protected_hardlinks 1
40 fs.protected_fifos / fs.protected_regular 2
41 net.ipv4.tcp_syncookies 1
42 ICMP redirects / source routing / rp_filter 0 / 0 / 1
43 IP forwarding informational
44 kernel.unprivileged_userns_clone 0
45 kernel.perf_event_paranoid ≥ 2
46 Dirty Frag modules (esp4, esp6, rxrpc) not loaded
47 Dangerous loaded modules audit 14 modules

New: config-driven CVE checks

Previously, CVE-specific checks were hardcoded functions in the script. Adding a new one meant modifying the script. That's fine for a handful of checks, but it doesn't scale well — and it means the script and the CVE data are tightly coupled when they really shouldn't be.

In v4.0, CVE checks are defined in cve_checks.conf. The script reads the file at runtime and dispatches the right test for each entry. To add a new CVE, you append a block to the config. The script doesn't change.

A config entry looks like this:

cve_id=CVE-2024-1086
name=Flipping Pages
cvss=7.8
severity=CRITICAL
check_type=compound
introduced=3.15
fixed_versions=5.15:5.15.149 6.1:6.1.76 6.6:6.6.15
itw=yes
poc_public=yes
cisa_kev=yes
subsystem=net/netfilter/nf_tables
module_names=nf_tables
mitigation=rmmod nf_tables 2>/dev/null; echo 'install nf_tables /bin/false' > /etc/modprobe.d/nftables.conf
socket_af=none
socket_type=none
socket_proto=none
what=CVE-2024-1086 is a use-after-free in nf_tables...
impact=Full local privilege escalation...
exploit=Public PoC, 99.4% success rate on Debian/Ubuntu/KernelCTF...
rec=Patch to v5.15.149+, v6.1.76+, or v6.6.15+...

The check_type field drives what the engine actually does:

  • kernel_version — parses uname -r and compares against the introduced/fixed_versions ranges. Handles all current LTS series.
  • module_loaded — checks /proc/modules for the listed modules.
  • socket_family — tries to open a socket with the given AF/type/proto from Python, which tells you whether the attack surface is reachable from within this specific container regardless of kernel patch status.
  • compound — runs all three and synthesises a combined severity.

The compound severity logic is worth spelling out because it avoids the two failure modes of noisy and silent:

kernel in affected range + module loaded or socket reachable  →  CRITICAL
kernel in affected range + module not blacklisted             →  HIGH (auto-load risk)
kernel in affected range + module blacklisted                 →  MEDIUM (interim mitigation, patch needed)
kernel not in affected range                                  →  INFO

That last HIGH case catches the thing that trips people up: a module that's not currently loaded but also not blacklisted can be auto-loaded by the kernel just by opening the right socket. "Not loaded" is not the same as "not exploitable."


What's in the CVE database

The shipped cve_checks.conf has ten entries. Three are actively exploited right now.

Copy Fail (CVE-2026-31431, CVSS 7.8, CISA KEV) — a flaw in the algif_aead AF_ALG interface that gives any unprivileged user a 4-byte write into the page cache of any readable executable. A 732-byte Python PoC with no dependencies achieves reliable root. Affects kernels from 4.14. Interim mitigation: rmmod algif_aead && echo 'install algif_aead /bin/false' > /etc/modprobe.d/copyfail.conf.

Dirty Frag (CVE-2026-43284 + CVE-2026-43500, CVSS 8.8/7.8) — same bug class as Copy Fail but through the IPsec ESP and RxRPC subsystems. Provides full attacker-controlled page cache writes at any offset, not just 4 bytes. Two CVEs, typically chained. As of writing, no distro patch exists for the RxRPC path — blacklisting rxrpc is the only mitigation. Note: blacklisting esp4/esp6 kills IPsec — check before you fleet-deploy.

Flipping Pages (CVE-2024-1086, CVSS 7.8, CISA KEV) — use-after-free in nf_tables. 99.4% success rate PoC. Used in RansomHub and Akira ransomware campaigns. Needs unprivileged user namespaces + nf_tables loaded. Affects 3.15–6.6.14.

The other seven: Attack of the Vsock (CVE-2025-21756), Chronomaly (CVE-2025-38352), Packet Socket Race (CVE-2025-38617), OverlayFS SetUID Copy (CVE-2025-38352, CISA KEV), DirtyPipe (CVE-2022-0847), and DirtyCOW (CVE-2016-5195).


Updating the database

The whole point of the config-driven design is that you shouldn't need to touch the script when new vulnerabilities drop. When a CVE gets a distro patch, update fixed_versions. When something goes ITW, update itw=yes. Add a new entry for a new CVE:

cat >> cve_checks.conf << 'ENTRY'

cve_id=CVE-2025-XXXXX
name=Whatever it's called
cvss=8.1
severity=HIGH
check_type=compound
introduced=6.1
fixed_versions=6.6:6.6.50 6.12:6.12.5
itw=no
poc_public=yes
cisa_kev=no
subsystem=fs/btrfs
module_names=btrfs
mitigation=none
socket_af=none
socket_type=none
socket_proto=none
what=...
impact=...
exploit=...
rec=...
ENTRY


Running in Kubernetes

Drop it into a pod directly:

kubectl cp container_escape_audit.sh mynamespace/mypod:/tmp/audit.sh
kubectl cp cve_checks.conf mynamespace/mypod:/tmp/cve_checks.conf
kubectl exec -n mynamespace mypod -- bash /tmp/audit.sh \
  --cve-conf /tmp/cve_checks.conf \
  --report /tmp/audit_report.txt
kubectl cp mynamespace/mypod:/tmp/audit_report.txt ./

Or as a Job that audits the cluster's default security context:

apiVersion: batch/v1
kind: Job
metadata:
  name: container-escape-audit
spec:
  template:
    spec:
      restartPolicy: Never
      containers:
        - name: audit
          image: alpine:latest
          command:
            - sh
            - -c
            - |
              apk add --no-cache bash curl python3 && \
              curl -sO https://raw.githubusercontent.com/liamromanis101/K8s-container_escape_audit/main/container_escape_audit.sh && \
              curl -sO https://raw.githubusercontent.com/liamromanis101/K8s-container_escape_audit/main/cve_checks.conf && \
              chmod +x container_escape_audit.sh && \
              ./container_escape_audit.sh --json

kubectl apply -f audit-job.yaml
kubectl wait --for=condition=complete job/container-escape-audit --timeout=120s
kubectl logs job/container-escape-audit
kubectl delete job container-escape-audit

The Job runs with whatever security context the cluster assigns by default — which is the point. You want to see what a workload running in your cluster can actually reach, not what it could reach if you gave it extra permissions.


CI integration

The JSON output makes it straightforward to gate on CRITICAL findings:

CRITICAL_COUNT=$(./container_escape_audit.sh --json --no-report \
  | jq '[.findings[] | select(.severity=="CRITICAL")] | length')

if [ "$CRITICAL_COUNT" -gt 0 ]; then
  echo "FAILED: $CRITICAL_COUNT critical escape vectors detected"
  exit 1
fi


Requirements and limitations

Requirements: Bash 4.2+, Python 3. Everything else uses /proc, /sys, and standard POSIX tools. curl is optional (used for IMDS and Kubelet API checks).

What it isn't: this is a point-in-time audit, not continuous monitoring. It identifies attack surface — it doesn't exploit anything. A CRITICAL finding means the prerequisites for a known attack are present, not that you've been compromised. For continuous detection, pair it with Falco rules watching for writes to release_agent and core_pattern, AF_ALG socket creation from non-root processes, and LD_PRELOAD pointing to /tmp or /dev/shm.


Licence

CC BY-NC 4.0 — free for non-commercial use with attribution. If you're using this as part of a paid engagement or commercial product, we're happy to discuss sponsorship: github.com/sponsors/liamromanis101.


Feedback, issues, and PRs welcome. If you hit a false positive, a missed check, or a CVE that should be in the database, open an issue on GitHub.

github.com/liamromanis101/K8s-container_escape_audit