If there was a similar class of bug in the illumos kernel, it would also allow for a container escape, no?
There are many issues with the formulation of containers on Linux (though I think people overstate it whenever bugs like this happen) but ultimately this bug was a UAF that gave you arbitrary code execution in the kernel. Zone IDs are also just numbers in kernel memory... right?
Not necessarily. Zones in illumos (and Solaris before) were designed from ground up to be secure in multitenant workloads[0]. It's quite different from the duct tape style[1] of linux containerization.
[0]https://www.usenix.org/legacy/event/lisa04/tech/full_papers/...
[1]Tape different things together and see if it holds.