We reported this to Google through their Vulnerability Disclosure Program on November 21, 2025.
Subscribe to unlock this article
,更多细节参见Line官方版本下载
更多精彩内容,关注钛媒体微信号(ID:taimeiti),或者下载钛媒体App
A useful mental model here is shared state versus dedicated state. Because standard containers share the host kernel, they also share its internal data structures like the TCP/IP stack, the Virtual File System caches, and the memory allocators. A vulnerability in parsing a malformed TCP packet in the kernel affects every container on that host. Stronger isolation models push this complex state up into the sandbox, exposing only simple, low-level interfaces to the host, like raw block I/O or a handful of syscalls.