"The security vulnerabilities, registered as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, make it possible to break through the separation between the container and the host system by manipulating mounts and symbolic links. According to the description on nvd.nist.gov, the risk arises when an attacker influences the way mounts are created within a container. By using symlinks or race conditions, runC can unintentionally bind-mount files from the host system into the container, creating write permissions on sensitive system paths."
"In his explanation on GitHub, he describes how runC relies on temporary bind mounts of, for example, /dev/null or /dev/console to mask sensitive paths in certain situations. If an attacker manages to place a symbolic link during container initialization, runC may accidentally mount an attacker-defined target.A symbolic link (Symlink) is a file that acts as a reference or shortcut to another file or folder, automatically redirecting programs to that target."
Three vulnerabilities in runC (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) enable attackers to manipulate mounts and symbolic links to break container-host separation. An attacker who influences mount creation or races symlink placement during container initialization can cause runC to bind-mount host files into the container, exposing write permissions on sensitive system paths including /proc and kernel interfaces. This can enable full container escape and execution of code with root privileges on the host. CVE-2025-31133 and CVE-2025-52881 affect all runC versions; CVE-2025-52565 affects 1.0.0-rc3 and later. Fixed in runC 1.2.8, 1.3.3, and 1.4.0-rc.3 and later.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]