Critical runC vulnerabilities enable container escape to host system
Summary
Hide ▲
Show ▼
Three critical vulnerabilities in runC, a container runtime used by Docker and Kubernetes, could allow attackers to escape container isolation and gain root access to the host system. The flaws, tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, were disclosed by SUSE engineer Aleksa Sarai. Exploiting these vulnerabilities requires the ability to start containers with custom mount configurations, which can be achieved through malicious container images or Dockerfiles. The vulnerabilities affect all versions of runC, with fixes available in versions 1.2.8, 1.3.3, 1.4.0-rc.3, and later. No active exploits have been reported, but researchers at Sysdig have provided detection and mitigation strategies.
Timeline
-
09.11.2025 17:11 1 articles · 1d ago
Critical runC vulnerabilities disclosed, enabling container escape to host system
Three critical vulnerabilities in runC, tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, were disclosed by SUSE engineer Aleksa Sarai. These flaws allow attackers to escape container isolation and gain root access to the host system. Exploits require custom mount configurations, which can be achieved through malicious container images or Dockerfiles. Fixes are available in runC versions 1.2.8, 1.3.3, 1.4.0-rc.3, and later. No active exploits have been reported.
Show sources
- Dangerous runC flaws could allow hackers to escape Docker containers — www.bleepingcomputer.com — 09.11.2025 17:11
Information Snippets
-
runC is a universal container runtime and OCI reference implementation used by Docker and Kubernetes.
First reported: 09.11.2025 17:111 source, 1 articleShow sources
- Dangerous runC flaws could allow hackers to escape Docker containers — www.bleepingcomputer.com — 09.11.2025 17:11
-
CVE-2025-31133 allows attackers to replace /dev/null with a symlink during container init, enabling writes to /proc and container escape.
First reported: 09.11.2025 17:111 source, 1 articleShow sources
- Dangerous runC flaws could allow hackers to escape Docker containers — www.bleepingcomputer.com — 09.11.2025 17:11
-
CVE-2025-52565 can be exploited via races/symlinks to redirect the /dev/console bind mount, exposing writable access to critical procfs entries.
First reported: 09.11.2025 17:111 source, 1 articleShow sources
- Dangerous runC flaws could allow hackers to escape Docker containers — www.bleepingcomputer.com — 09.11.2025 17:11
-
CVE-2025-52881 tricks runC into performing writes to /proc that are redirected to attacker-controlled targets, bypassing LSM relabel protections.
First reported: 09.11.2025 17:111 source, 1 articleShow sources
- Dangerous runC flaws could allow hackers to escape Docker containers — www.bleepingcomputer.com — 09.11.2025 17:11
-
Exploiting these vulnerabilities requires the ability to start containers with custom mount configurations.
First reported: 09.11.2025 17:111 source, 1 articleShow sources
- Dangerous runC flaws could allow hackers to escape Docker containers — www.bleepingcomputer.com — 09.11.2025 17:11
-
No active exploits of these vulnerabilities have been reported.
First reported: 09.11.2025 17:111 source, 1 articleShow sources
- Dangerous runC flaws could allow hackers to escape Docker containers — www.bleepingcomputer.com — 09.11.2025 17:11
-
Mitigation strategies include activating user namespaces and using rootless containers.
First reported: 09.11.2025 17:111 source, 1 articleShow sources
- Dangerous runC flaws could allow hackers to escape Docker containers — www.bleepingcomputer.com — 09.11.2025 17:11