runc Vulnerability Enables Container Isolation Bypass – Active Exploits Possible
The flaws were disclosed by a SUSE researcher on November 5, 2025, affecting containerized environments worldwide.
The three CVEs—CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881—exploit weaknesses in runc’s mount operations and file protections during container creation.
Attackers can leverage race conditions and symbolic link manipulation to bypass security restrictions, gaining the ability to write to critical system files that facilitate container escape.
| CVE ID | Affected Versions | Fixed Versions |
|---|---|---|
| CVE-2025-31133 | All known versions | 1.2.8, 1.3.3, 1.4.0-rc.3+ |
| CVE-2025-52565 | 1.0.0-rc3 and later | 1.2.8, 1.3.3, 1.4.0-rc.3+ |
| CVE-2025-52881 | All known versions | 1.2.8, 1.3.3, 1.4.0-rc.3+ |
The most likely attack vector involves malicious container images or Dockerfiles with custom mount configurations.
Each vulnerability works differently to circumvent container security.
CVE-2025-31133 targets the maskedPaths feature, which prevents containers from accessing sensitive host files.
Attackers replace /dev/null with a symbolic link during container creation, tricking runc into mounting arbitrary host paths.
This allows writes to critical files like /proc/sys/kernel/core_pattern, enabling system compromise.
CVE-2025-52565 exploits insufficient validation during /dev/pts/$n mounting to /dev/console. The vulnerability permits attackers to redirect mounts before security protections activate, granting unauthorized write access to protected procfs files.
This bypass undermines container isolation boundaries.
CVE-2025-52881 abuses race conditions with shared mounts to redirect runc writes to /proc files. Attackers can manipulate dangerous system files such as /proc/sysrq-trigger, potentially crashing systems or enabling container escape through privilege escalation.
Organizations running Docker, Kubernetes, or any services using runc must upgrade immediately to patched versions 1.2.8, 1.3.3, or 1.4.0-rc.3 and later.
The widespread use of runc across containerized infrastructure makes these vulnerabilities particularly dangerous.
Container operators should audit deployed environments for suspicious mount configurations and monitor for container escape attempts.
Additionally, organizations should implement strict image scanning policies to detect malicious Dockerfiles attempting these exploitation techniques.
These vulnerabilities underscore the critical importance of container runtime security and the need for rapid patching cycles in container infrastructure.
DevOps teams should prioritize updating runc across all systems to prevent potential compromise of containerized applications and underlying host systems.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
The post runc Vulnerability Enables Container Isolation Bypass – Active Exploits Possible appeared first on Cyber Security News.
An excellent 3D printer with multi-color print capability just got a huge price drop ahead…
Similar to every other high-end GPU on the market, the AMD Radeon 9070 XT graphics…
Don't worry, the Duffer Brothers will be happy to tell you what happened to Eleven…
A data breach makes headlines for a day. The damage it leaves behind lasts years. Critical…
Linus Torvalds has publicly declared that the Linux kernel’s private security mailing list has become…
A fresh set of critical vulnerabilities in the popular workflow automation platform n8n is raising…
This website uses cookies.