Container escape breaks out of a container to access the host OS or other containers — exploiting misconfigurations (--privileged flag, host volume mounts) or container runtime vulnerabilities.
Privileged containers have full host access — essentially root on the host. Never run privileged containers in production. Host path mounts (especially /) give container access to host filesystem. Check for excessive capabilities. Security-context in K8s enforces restrictions.