Three crucial vulnerabilities in runc, the container runtime powering Docker, Kubernetes, and different containerization platforms.
These flaws might permit attackers to flee container isolation and acquire root entry to host techniques. Nevertheless, no lively exploits have been detected but.
The vulnerabilities leverage race mount situations and procfs write redirects to interrupt out of container boundaries.
Attackers want the flexibility to begin containers with customized mount configurations, making malicious container photos and Dockerfiles the first assault vectors.
The Sysdig Menace Analysis Workforce analyzed all three vulnerabilities and supplied detailed mitigation suggestions for affected organizations worldwide.
runc Vulnerabilities Result in Container Isolation
CVE-2025-31133 exploits weaknesses in runc’s maskedPaths characteristic, which protects delicate host recordsdata from container entry.
By changing /dev/null with a symlink throughout container creation, attackers can trick runc into mounting arbitrary host paths and writing to crucial system recordsdata, similar to /proc/sys/kernel/core_pattern, thereby enabling container escape.
CVE-2025-52565 targets the /dev/console mount operation throughout container initialization.
a number of vulnerabilities in runc
Inadequate validation permits attackers to redirect mounts and acquire write entry to protected procfs recordsdata.
The assault succeeds as a result of the mount occurs earlier than maskedPaths and readonlyPaths protections are appropriately utilized.
CVE-2025-52881 allows attackers to bypass Linux Safety Module protections by race situations with shared mounts.
Attackers can redirect runc writes to pretend procfs recordsdata and manipulate harmful system recordsdata similar to/proc/sysrq-trigger or /proc/sys/kernel/core_pattern, probably crashing techniques or escaping from containers.
CVE IDVulnerability TypeAffected VersionsFixed VersionsCVE-2025-31133Container escape by way of maskedPaths abuseAll recognized versions1.2.8, 1.3.3, 1.4.0-rc.3+CVE-2025-52565Container escape by way of /dev/console mount races1.0.0-rc3 and later1.2.8, 1.3.3, 1.4.0-rc.3+CVE-2025-52881LSM bypass and arbitrary write gadgetsAll recognized versions1.2.8, 1.3.3, 1.4.0-rc.3+
Affected Variations and Patches
CVE-2025-31133 and CVE-2025-52881 impression all recognized runc variations, whereas CVE-2025-52565 impacts variations 1.0.0-rc3 and later.
All three vulnerabilities are patched in runc variations 1.2.8, 1.3.3, and 1.4.0-rc.3 or later.
Organizations utilizing containerized environments ought to instantly replace Runc to patched variations.
The Sysdig Menace Analysis Workforce recommends enabling person namespaces for all containers, which blocks crucial assault vectors by limiting entry to the procfs file system.
Utilizing rootless containers additional limits the scope of vulnerability. Cloud suppliers, together with AWS, ECS, and EKS, launched safety updates on November 5, 2025.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
