Detecting + preventing cgroups escape via SCTP – CVE-2019-3874.

CVE-2019-3874 is a vulnerability in the Linux kernel that allows an attacker to bypass cgroup memory isolation through the SCTP socket buffer, potentially leading to a denial-of-service attack in containerized environments. Sysdig Falco, an open-source container security monitor, can detect and prevent this vulnerability by leveraging its rules engine to identify and stop suspicious SCTP bind attempts. The vulnerability has a CVSS rating of 5.3, with a kernel patch in development. Sysdig's platform offers a comprehensive suite of security measures, including image scanning and container compliance, to prevent exploitation and ensure best practice-based security posture in Docker and Kubernetes environments.