All Products
Search

This Product

    Container Service for Kubernetes:ACK Edge cluster CVE-2024-21626 fix solution

    Document Center

    Container Service for Kubernetes:ACK Edge cluster CVE-2024-21626 fix solution

    Last Updated:Mar 07, 2026

    A container escape vulnerability (CVE-2024-21626) was discovered in runc. Attackers can exploit this vulnerability to escape from containers, and then access the host file system or run external binaries. Fix this vulnerability as soon as possible.

    Affected Scope

    ACK Edge clusters running versions 1.20, 1.22, 1.24, or 1.26 with containerd runtime versions 1.5.13 or 1.6.20. Other versions are not affected.

    On the Node Pools page, click the node pool ID. Then, click the Basic Information tab to view the node pool's runtime and runtime version.

    Note

    • New clusters and new nodes in existing clusters are already upgraded and are not affected by this vulnerability.

    • The Docker runtime is not affected by this vulnerability.

    Solutions

    Fix Script

    For affected nodes, you can execute the following script on the node.

    Important

    To ensure cluster and application stability, apply the fix to affected nodes in batches using grayscale deployment. Do not perform a full deployment.

    • Public Network Access Node

      wget -qr https://ack-edge-cn.oss-rg-china-mainland.aliyuncs.com/runc-edge-cve.sh -O /tmp/runc-cve.sh && bash /tmp/runc-cve.sh

    • Leased Line Access Node

      Specify the cluster's region in the command.

      export REGION=cn-hangzhou; wget -qr "https://aliacs-k8s-${REGION}.oss-${REGION}-internal.aliyuncs.com/public/pkg/edge/runc-edge-cve-internal.sh" -O /tmp/runc-cve.sh && bash /tmp/runc-cve.sh

    Expected Outputs

    • The expected output is as follows. It indicates that the current environment has no CVE vulnerability and that the system made no changes. You can ignore this output.

      runc version is low, no cve, is safe

    • The expected output is as follows. It indicates that the environment has a vulnerability and that the replacement fix is complete. In this scenario, it is highly probable that all node pools have the vulnerability. Apply the fix to nodes in batches using grayscale deployment and monitor the service status.

      cve is fixed...ok

    Version Information

    You can execute the following command to retrieve the runc tool version information after the fix.

    runc --version | grep commit | awk -F "-g" '{print $2}'

    Expected output:

    390c7001
    Note

    • The fix script does not change or upgrade the runc version.

    • This runc version is maintained by ACK. It falls within the range of affected community versions, but the vulnerability has been fixed.

    Rollback Plan

    If the change does not meet expectations, you can execute the following command on the node to roll back and restore runc to its original version.

    runc_path=$(command -v runc)
cp -f ${runc_path}_bak ${runc_path}

    References

    CVE-2024-21626 Vulnerability Announcement