Container breakouts : Abusing SYS_PTRACE capability
SYS_PTRACE capability can be dangerous if it's provided. The container can in consequence debug processes. Then, an attacker can inject a bind shell shellcode from the container into a host machine process.
Here an example in the following video, where we assume that a developer has mapped the PID namespace of the underlying host machine to the docker container, and has provided SYS_PTRACE capability to it to enable debugging operations :