Runc and Buildkit CVE update: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653

We recently became aware of four CVEs related to runc and Buildkit [more on Docker’s blog here: Docker Security Advisory: Multiple Vulnerabilities in runc, BuildKit, and Moby | Docker.

For cloud customers:
As of February 1, 2024 at 15:00 UTC we have fully addressed these CVEs on our cloud service, and no further action is needed for cloud customers at this time.

For server customers:
If you are using CircleCI’s Terraform to create Nomad client clusters, you should upgrade to the latest version, 4.4.1 [Release 4.4.1 Release · CircleCI-Public/server-terraform · GitHub]. You can apply this change to any CircleCI server version of 4.0 and above. If your team is using your own Terraform to create Nomad clients, please reach out to your internal infrastructure team about updating the Docker engine in those clients.For questions, please reach out to

Should we update setup_remote_docker in out config to mitigate this issue?

Hi Arjun,
As a cloud customer, no mitigation steps are needed. With any security-related activity, it is always a good idea to upgrade to the latest version. And best practice to rotate secrets for that matter.