The vulnerability CVE-2024-23651 in Docker Buildkit allows a malicious container to escape the underlying host OS by exploiting a time-of-check/time-of-use (TOCTOU) race condition when mounting a cache volume at container build time. This can lead to full host root command execution if the Docker engine is running as the root user. To mitigate this vulnerability, Snyk recommends updating Buildkit to version v0.12.5 or later and using tools such as the eBPF-based runtime detection tool or static analysis detector to detect potential exploit attempts. Organizations should also consider updating their container infrastructure provider to ensure that it has been patched. Additionally, using well-maintained parent images from trusted sources and staying up-to-date with the latest versions is a good best practice.