CVE-2021-43784: 
NixOS vulnerability analysis and mitigation

CVE-2021-43784 is an integer overflow vulnerability discovered in runC, a lightweight container runtime implementation. The vulnerability was identified in December 2021 and affects versions prior to 1.0.3. The issue occurs in the netlink encoder's handling of the byte array attribute type's 16-bit length field, which is used for container configuration serialization (GitHub Advisory).

The vulnerability exists in runC's netlink serialization system, which is used for specifying container configuration to the C portion of the code responsible for namespace setup. The encoder failed to handle integer overflow possibilities in the 16-bit length field for byte array attributes. A sufficiently large malicious byte array attribute could cause the length to overflow, resulting in the attribute contents being parsed as netlink messages for container configuration (Openwall).

If exploited, this vulnerability would allow an attacker with some control over container configuration to bypass namespace restrictions by adding their own netlink payload that disables all namespaces. The main impact affects users who allow untrusted images with untrusted configurations to run on their machines, particularly in shared cloud infrastructure environments (GitHub Advisory).

The vulnerability was patched in runc version 1.0.3. The fix involves implementing proper handling of integer overflow in the netlink message length field. As a workaround, users can disallow untrusted namespace paths in container configuration to eliminate practical exploitation vectors (GitHub Advisory, Red Hat).