Scenario Brief: Pod Escape via Cgroup Namespace TOCTOU — A Containerd Threat Model

RingSafe Cloud Advisory — a hypothetical CVE-2026-XXXXX — 22 May 2026

Why the “baseline” profile is not enough

The flaw exploits a window between (a) the runtime checking that a syscall is permitted by the workload’s seccomp profile and (b) actually executing it. By chaining ptrace against the runtime’s own PID-1 supervisor process, an attacker who has compromised a single pod gains the ability to read and modify other containers’ namespace mappings on the same node. Pod-to-pod isolation collapses.

The baseline Pod Security Standard does not block CAP_SYS_PTRACE, which is the prerequisite capability. Only the “restricted” profile or a custom PSP/Kyverno rule denying that capability protects against the chain.

Who is most at risk

• Indian SaaS multi-tenants running customer workloads in shared node pools (CI/CD platforms, vector DB providers, AI inference platforms).
• Banks and NBFCs running modernised core systems on K8s with the default EKS/GKE Pod Security Admission settings.
• Anyone running a Jenkins, Tekton, or GitLab Runner pod with privileged: true — these were already a risk, but this CVE removes the need for that flag.

RingSafe analysis

The deeper story is that “baseline” PSA was always a transitional setting, designed to make migration off the deprecated PodSecurityPolicy painless rather than to be a target state. Two years on, most Indian K8s deployments still treat baseline as their permanent security posture. This CVE will force a re-evaluation.

Operationally, the right control is Kyverno or OPA Gatekeeper denying every capability except those a workload explicitly requires, combined with gVisor or Kata Containers for any pod that handles untrusted code or data.

Detection and response

• Falco rule: spawned_process where proc.name=ptrace and container.image.repository != known-debugger-list.
• Cilium Tetragon: monitor tracepoint:syscalls:sys_enter_ptrace per-pod, alert on first occurrence in production.
• Audit logs: look for kube-apiserver RBAC denials on pods/exec followed by successful container-level access from the same source.

Hardening before the patch lands

• Set every namespace to pod-security.kubernetes.io/enforce: restricted unless you have an explicit exception.
• Apply a Kyverno cluster policy denying CAP_SYS_PTRACE globally.
• For multi-tenant clusters, evaluate node-pool isolation by tenant tier.