Login
Researchers Uncover Critical runC Bugs Allowing Full Container Escape
11 November 2025 at 02:45
Details of all the Vulnerabilities: CVE-2025-31133, CVE-2025-52565 and CVE-2025-52881Β
CVE-2025-31133 involves how runC implements βmasked paths.β When the runtime bind-mounts /dev/null over a file to block access, an attacker can replace /dev/null with a symlink to a sensitive host file. This can cause runC to mount that host path as read-write, enabling an attacker to alter kernel parameters or trigger system crashes through /proc/sysrq-trigger. This vulnerability impacts all known versions of runC before the latest patches.Β CVE-2025-52565 is a similar issue that targets /dev/console mounts. When runC attempts to bind /dev/console to /dev/pts/$n, an attacker who replaces /dev/pts/$n with a symlink can cause the bind-mount to target a different file. This vulnerability affects all versions of runC from 1.0.0-rc3 onward. Like CVE-2025-31133, it can be exploited to create read-write binds to critical procfs files, resulting in container breakout. The flaw has a CVSS score of 7.3.Β While addressing CVE-2025-52565, developers also identified potential risks in how runC used file creation functions. Though these were not directly exploitable, fixes were included as a precaution. Additional mitigations were also applied to reduce race conditions in /dev/pts/$n, even though they are largely hypothetical in most deployments. CVE-2025-52881 represents a more advanced attack vector that builds on previous runC vulnerabilities. It allows an attacker to redirect write operations within procfs, bypassing Linux Security Module (LSM) protections such as AppArmor and SELinux. This could enable malicious writes to files like /proc/sysrq-trigger, causing host crashes, or to /proc/sys/kernel/core_pattern, facilitating a container escape. This vulnerability affects all known versions of runC and has a CVSS score of 7.3. Researchers note that CVE-2025-52881 can pair with the other two flaws to simplify exploitation, acting as an LSM bypass that allows arbitrary writes to host files.ΒFixes, Versions, and MitigationΒ
The vulnerabilities have been addressed in runC v1.2.8, v1.3.3, and v1.4.0-rc.3. The patches introduce extensive code changes not only to runC itself but also to the supporting library filepath-securejoin, which handles secure path resolution. Maintainers strongly advise vendors and users to upgrade directly to these versions rather than applying individual patches, as the fixes are interdependent and cover overlapping issues across the three CVEs.Β Recommended mitigations include:Β- By preventing the host root user from being mapped inside the container, unauthorized writes to procfs files are blocked by standard Unix permissions.Β
- Containers should be configured with restricted privileges, and setuid binaries should be disabled using the noNewPrivileges flag.Β
- SELinux may help limit exposure in certain cases, but CVE-2025-52881 can bypass LSM protections, making AppArmor or SELinux alone insufficient.Β
