Three critical vulnerabilities in runc, the widely-used container runtime that powers Docker and Kubernetes, have been disclosed, allowing attackers to break out of container isolation and gain root access to host systems.
The flaws, identified as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, were revealed by a SUSE researcher on November 5, 2025.
| CVE ID | Affected Versions | Fixed Versions |
|---|---|---|
| CVE-2025-31133 | All known versions | 1.2.8, 1.3.3, 1.4.0-rc.3+ |
| CVE-2025-52565 | 1.0.0-rc3 and later | 1.2.8, 1.3.3, 1.4.0-rc.3+ |
| CVE-2025-52881 | All known versions | 1.2.8, 1 |
How the Attack Works
The vulnerabilities exploit weaknesses in how runc handles mount operations and file protections during container creation.
Attackers can leverage race conditions and symbolic link manipulation to bypass security restrictions, ultimately writing to critical system files that enable container escape, as reported by researchers.
The most likely attack vector involves malicious container images or Dockerfiles containing custom mount configurations.
CVE-2025-31133 targets the maskedPaths feature, which protects sensitive host files from container access.
By replacing /dev/null with a symlink during container creation, attackers can trick runc into mounting arbitrary host paths, allowing writes to critical files like /proc/sys/kernel/core_pattern.
CVE-2025-52565 exploits insufficient validation during the mounting of /dev/pts/$n to /dev/console.
This vulnerability allows attackers to redirect mounts before security protections are applied, gaining unauthorized write access to protected procfs files.
CVE-2025-52881 uses race conditions with shared mounts to redirect runc writes to /proc files.
This bypass allows attackers to manipulate dangerous system files such as /proc/sysrq-trigger, potentially crashing systems or enabling container escape.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.