Comment by jrpear

It looks to me like what is called a "container escape" in this context isn't necessarily as bad as it seems. For example, in the advisory for CVE-2025-31133 affecting runc[1]:

> Container Escape: ...Thus, the attacker can simply trigger a coredump and gain complete root privileges over the host.

Sounds bad. But...

> this flaw effectively allows any attacker that can spawn containers (with some degree of control over what kinds of containers are being spawned) to achieve the above goals.

The attacker needs already to have the capability to spawn containers! This isn't a case of "RCE within the container" -> "RCE outside the container", which is what I would think prima facie reading "container escape".

I have always thought that running an untrusted image within an unprivileged container was a safe thing to do and I still believe so.

[1] https://github.com/opencontainers/runc/security/advisories/G...