From 623a1aa90b8de61a136ffbd321e51dd1959734ca Mon Sep 17 00:00:00 2001
From: Sebastien Tardif <sebtardif@ncf.ca>
Date: Wed, 17 Jun 2026 12:18:15 -0700
Subject: [PATCH] fix: close HijackedResponse in attach() to prevent connection
 leak

The attach() method creates a HijackedResponse via ContainerAttach but
never closes it. The goroutine reading from out.Reader keeps the
underlying TCP connection open even after the read completes.

The sibling exec() method at line 600 in the same file correctly uses
defer resp.Close() for the same resource type.

Add defer out.Close() inside the goroutine so the connection is released
after the container output stream ends.

This bug has been present since commit 532af98 (2020-02-06).
---
 pkg/container/docker_run.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/container/docker_run.go b/pkg/container/docker_run.go
index 985ba2f8d95..e73159c77a8 100644
--- a/pkg/container/docker_run.go
+++ b/pkg/container/docker_run.go
@@ -862,6 +862,7 @@ func (cr *containerReference) attach() common.Executor {
 			errWriter = os.Stderr
 		}
 		go func() {
+			defer out.Close()
 			if !isTerminal || os.Getenv("NORAW") != "" {
 				_, err = stdcopy.StdCopy(outWriter, errWriter, out.Reader)
 			} else {