Impreza Portal
Sign InMy ServicesMy DomainsMy InvoicesMy Tickets
News
Celebrative Logos
Our Platform
Carbon Removal Commitment
Tutorials
Video TutorialsKnowledge Base
More
UptimeNetwork StatusAffiliatesJobsAbout us
Contact
Submit Ticket (Less than 1hour to answer)Whatsapp (Less than 24hours to answer)Telegram (Less than 24hours to answer)Report Abuse
HOMEDOMAINS
CONTACT
Login
Sign InCreate an Account
No Comments

SUSE Engineer found three High-Risk runC Vulnerabilities in Container Runtime

 

Three newly disclosed vulnerabilities in the runC container runtime used in Docker and Kubernetes allow attackers to bypass isolation restrictions and gain access to the host system.

This week, SUSE software engineer and Open Container Initiative (OCI) board member Aleksa Sarai reported and disclosed the security issues, tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881.

runC serves as a universal container runtime and the OCI reference implementation for running containers. It handles low-level operations such as creating container processes, setting up namespaces, mounts, and cgroups that higher-level tools like Docker and Kubernetes rely on.

An attacker who exploits these vulnerabilities can obtain write access to the underlying container host with root privileges:

  • CVE-2025-31133 — runC uses /dev/null bind-mounts to “mask” sensitive host files. When an attacker replaces /dev/null with a symlink during container initialization, runC may bind-mount an attacker-controlled target with read-write permissions into the container. This access enables writes to /proc and allows a container escape.
  • CVE-2025-52565 — The /dev/console bind mount can be redirected through races or symlinks, causing runC to mount an unexpected target into the container before applying protections. This flaw can again expose writable access to critical procfs entries and enable breakouts.
  • CVE-2025-52881 — Attackers can trick runC into performing writes to /proc that redirect to attacker-controlled targets. This flaw bypasses LSM relabel protections in some variants and turns ordinary runC writes into arbitrary writes to dangerous files like /proc/sysrq-trigger.

CVE-2025-31133 and CVE-2025-52881 affect all runC versions, while CVE-2025-52565 impacts runC versions 1.0.0-rc3 and later. To address these issues, developers released fixes in runC versions 1.2.8, 1.3.3, 1.4.0-rc.3, and later.

Vulnerability

Researchers at cloud security company Sysdig explain that exploiting the three vulnerabilities “require the ability to start containers with custom mount configurations,” a capability attackers can gain through malicious container images or Dockerfiles.

So far, no one has reported any active exploitation of these flaws in the wild.

In an advisory this week, Sysdig added that organizations can detect exploitation attempts by monitoring suspicious symlink behaviors.

Meanwhile, runC developers recommended specific Mitigation actions, including Activating user Namespaces for all containers without mapping the host root user into the container’s Namespace.

This Precaution helps block the most critical parts of the attack because Unix DAC permissions prevent Namespaced users from Accessing sensitive files.

Finally, Sysdig advises using Rootless containers whenever possible to minimize potential damage if a Vulnerability is Exploited.

 

Source: BleepingComputer,

Read more at Impreza News

You might also like
News, Vulnerability
News, Vulnerability

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.