SECURITY researcher Massimiliano Oldani has introduced IPV6_FRAG_ESCAPE, a proof-of-concept exploit that allows for an IPv6 container escape on CentOS and RHEL 10. The vulnerability exploits a patched bug in the Linux kernel's `__ip6_append_data()`, which corrupts packet data and allows an unprivileged process in a container to gain root access on the host system.
This flaw poses a significant threat since many CentOS and RHEL systems enable unprivileged user namespaces by default, widening the attack surface in multi-tenant and cloud environments. The exploit involves a series of steps, including a buffer overflow and subsequent escalation of privileges, and was confirmed on specific kernel versions. A fix has been implemented in the latest kernel patches, and users are encouraged to update or restrict user namespaces to mitigate risks.