PatchSiren cyber security CVE debrief

CVE-2016-9962 Docker CVE debrief

CVE-2016-9962 describes a container-runtime isolation flaw in which additional processes started through runc exec could be ptraced by PID 1 inside the container during initialization. According to the record, that timing window could expose file descriptors and allow modification of runC state or container escape. NVD rates the issue CVSS 6.4 (medium), but the impact is serious for affected hosts because the result can cross container boundaries.

Vendor: Docker
Product: CVE-2016-9962
CVSS: MEDIUM 6.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-31
Original CVE updated: 2026-05-13
Advisory published: 2017-01-31
Advisory updated: 2026-05-13

Who should care

Operators running affected Docker Engine / runc versions, especially on shared or multi-tenant Linux hosts, should care most. This also matters for distro maintainers and platform teams that package or orchestrate Docker-based workloads, particularly where containers run with root inside the container or rely heavily on exec-style process launches.

Technical summary

NVD maps this CVE to CWE-362 and scores it CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. The supplied description says runc allowed extra container processes created via runc exec to be ptraced by the container’s PID 1 during initialization, before the process was fully placed inside the container. That can expose file descriptors and permit container escape or alteration of runC state.

Defensive priority

Medium priority overall, with expedited patching recommended for any production host running affected Docker/runc packages. The vulnerability requires local access and high privileges, but the potential outcome includes container escape and full confidentiality, integrity, and availability impact on the affected environment.

Recommended defensive actions

Upgrade Docker/runc to a version that includes the upstream fix; the NVD CPE range for Docker ends before 1.12.6, and the record includes a Docker 1.12.6 release reference.
Inventory hosts, packages, and orchestration nodes to identify any affected Docker Engine / runc installations before normal maintenance windows.
Review workloads that depend on container-root privileges or frequent runc exec usage and reduce privilege where possible.
Apply the vendor and distribution guidance referenced in the record, including Red Hat, Fedora, and Gentoo advisories.
After patching, verify runtime versions and confirm normal container exec workflows still behave as expected.

Evidence notes

This debrief is based only on the supplied CVE/NVD metadata and listed references. The record provides the official CVSS vector, CWE-362 mapping, and affected Docker CPE range (1.11.0 through before 1.12.6), plus references to Docker 1.12.6, an upstream runc patch commit, and vendor/distro advisories. No exploit code or unsupported operational details are included.

Official resources

CVE-2016-9962 CVE record
CVE.org
CVE-2016-9962 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

The CVE record was published on 2017-01-31 and last modified on 2026-05-13. The reference set includes vendor, distro, and upstream material, including a Docker 1.12.6 release reference and an upstream runc patch commit.