RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
https://security.gentoo.org/glsa/201701-34
https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5
https://access.redhat.com/security/vulnerabilities/cve-2016-9962
http://www.securityfocus.com/bid/95361