GHSA-g5p6-327m-3fxx: 
vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-g5p6-327m-3fxx) was discovered in Talos Linux affecting versions prior to 1.6.4 and 1.5.6. The vulnerability stems from a security issue in runc versions <=1.1.11, which is used by Docker engine and other containerization technologies including Kubernetes. The issue was published and reviewed on February 2, 2024, with a CVSS score of 8.6 (GitHub Advisory).

The vulnerability has been assigned CVE-2024-21626 and is characterized by a CVSS v3.1 base score of 8.6 with the following metrics: Local attack vector, Low attack complexity, No privileges required, User interaction required, Changed scope, and High impact on confidentiality, integrity, and availability. The technical vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (GitHub Advisory).

The vulnerability allows attackers to perform container escape to the underlying host OS. This can be achieved either through executing a malicious image or by building an image using a malicious Dockerfile or upstream image (GitHub Advisory).

The vulnerability has been patched in Talos v1.5.6 and v1.6.4 by updating the runc runtime to version 1.1.12. As a workaround, administrators should inspect the workloads running on the cluster to ensure they are not attempting to exploit the vulnerability (GitHub Advisory).