Palo Alto Networks Security Advisories / PAN-SA-2024-0002

PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)



The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products.

While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful exploitation of these vulnerabilities and are not impacted.

Cortex XSOAR 6 On Premise deployments using Docker 25.0.2 or later are not impacted.

At present, no other Palo Alto Networks products are known to contain the vulnerable software packages and be impacted by these issues.

Protecting our customers is our highest priority. Palo Alto Networks and its Unit 42 threat research team have closely monitored all developments. You can find technical details, regular updates and guidance here:

CVE-2024-21626Several runc container breakouts due to internally leaked fds.
CVE-2024-23651BuildKit possible race condition with accessing subpaths from cache mounts.
CVE-2024-23652BuildKit possible host system access from mount stub cleaner.
CVE-2024-23653BuildKit interactive containers API does not validate entitlements check.

Product Status

Cortex XSOAR 6 HostedNoneAll
Cortex XSOAR 6 On PremiseNoneAll using Docker 25.0.2 or later
Cortex XSOAR 8NoneAll
Prisma Cloud Compute NoneAll

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of these issues in any of our products. Proof of concepts for CVE-2024-21626 have been observed.

Weakness Type

CWE-403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')

CWE-668 Exposure of Resource to Wrong Sphere

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-863 Incorrect Authorization


Cortex XSOAR 6 On Premise deployments should ensure use of Docker 25.0.2 or higher. For additional guidance in hardening Docker with Cortex XSOAR, please see


Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.