All Products
Search

This Product

    Container Service for Kubernetes:ACK Edge cluster CVE-2024-21626 fix solution

    Document Center

    Container Service for Kubernetes:ACK Edge cluster CVE-2024-21626 fix solution

    Last Updated:Mar 26, 2026

    A container escape vulnerability (CVE-2024-21626) was discovered in runc. An attacker can exploit this vulnerability to escape from a container and access the host file system or run external binaries. Apply the fix as soon as possible.

    Severity: Important | Status: Resolved

    Affected scope

    ACK Edge clusters running Kubernetes versions 1.20, 1.22, 1.24, or 1.26 with containerd runtime versions 1.5.13 or 1.6.20 are affected. Other versions are not affected. The Docker runtime is not affected.

    New clusters and new nodes added to existing clusters are already patched and are not affected.

    Check your runtime version: On the Node Pools page, click the node pool ID, then click the Basic Information tab to view the runtime and runtime version.

    Fix

    Important

    To maintain cluster and application stability, apply the fix to affected nodes in batches using grayscale deployment. Do not perform a full deployment at once.

    Run the following script on each affected node.

    Public network access node

    wget -qr https://ack-edge-cn.oss-rg-china-mainland.aliyuncs.com/runc-edge-cve.sh -O /tmp/runc-cve.sh && bash /tmp/runc-cve.sh

    Leased line access node

    Replace cn-hangzhou with your cluster's region before running.

    export REGION=cn-hangzhou; wget -qr "https://aliacs-k8s-${REGION}.oss-${REGION}-internal.aliyuncs.com/public/pkg/edge/runc-edge-cve-internal.sh" -O /tmp/runc-cve.sh && bash /tmp/runc-cve.sh

    Expected output

    Output Meaning Action
    runc version is low, no cve, is safe No vulnerability present. No changes were made. No action needed.
    cve is fixed...ok Vulnerability detected and fix applied. All node pools in the cluster are likely affected. Continue applying the fix to remaining nodes in batches. Monitor service status.

    Verify the fix

    Run the following command to check the runc commit hash after applying the fix.

    runc --version | grep commit | awk -F "-g" '{print $2}'

    Expected output:

    390c7001
    Note

    The fix script does not change or upgrade the runc version number. ACK maintains this runc version internally. Although the version falls within the range of affected community versions, the vulnerability has been patched.

    Rollback

    If the fix produces unexpected results, run the following command on the node to restore the original runc binary.

    runc_path=$(command -v runc)
cp -f ${runc_path}_bak ${runc_path}

    References

    CVE-2024-21626 vulnerability announcement