User-Namespace

2026-06-21
One Symlink From Host Root: The runC maskedPaths Escapes and the Myth of the Container Boundary
Three runC CVEs disclosed in November 2025 turned container escape back into a /dev/null symlink race — and one of them walks straight through AppArmor and SELinux. Here is how the maskedPaths breakout works, why seccomp and user namespaces are the layers that actually held, and what to change before the next runtime CVE.
container container-escape runc kubernetes seccomp apparmor user-namespace linux defense-in-depth incident-anatomy

One Symlink From Host Root: The runC maskedPaths Escapes and the Myth of the Container Boundary