Container escape is a break-out from a container into the underlying host system. Containers are meant to isolate processes, files, and network access, but they still share the host kernel. If an attacker finds a flaw in a container runtime, kernel feature, or misconfigured permission boundary, code running inside the container may cross that boundary and gain access on the host.
This matters because a container is not a security boundary by itself if the kernel can be reached or abused. In real attacks, container escape often follows a local privilege escalation, a mounted host filesystem, dangerous Linux capabilities, or a vulnerable kernel path. Once the host is compromised, the attacker can tamper with logs, disable defenses, steal secrets, and pivot to other workloads. Defenders reduce the risk by patching kernels and runtimes quickly, dropping unnecessary capabilities, avoiding privileged containers, and limiting access to risky host features and modules.