RunC container runtime host escape flaws (multiple vulnerabilities)
Vulnerability
Summary
Hide ▲
Show ▼
runC disclosed three vulnerabilities that can let attackers bypass container isolation and gain root access on the host in Docker and Kubernetes environments. The issues are tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881. Fixes are available in runC 1.2.8, 1.3.3, 1.4.0-rc.3, and later. There are no reports of active exploitation in the wild.
Related Happenings
RunC user namespaces and rootless containers mitigation
Advisory/Mitigation
First: 09.11.2025 17:11
Last: 09.11.2025 17:11
Sources 1
How related:
RunC developers also shared mitigation actions, which include activating user namespaces for all containers without mapping the host root user into the container's namespace.
About this happening:
RunC developers shared **mitigation actions** for the newly disclosed **runC** flaws that can let attackers **bypass isolation** and reach the **host system**. The core recommenda...
RunC user namespaces and rootless containers mitigation
Advisory/MitigationHow related: RunC developers also shared mitigation actions, which include activating user namespaces for all containers without mapping the host root user into the container's namespace.
About this happening: RunC developers shared **mitigation actions** for the newly disclosed **runC** flaws that can let attackers **bypass isolation** and reach the **host system**. The core recommenda...
Docker expands Hardened Images catalog access with near-zero-CVE subscriptions
Security Tool/Service
First: 08.10.2025 01:09
Last: 08.10.2025 01:09
Sources 1
About this happening:
Docker expanded **Hardened Images** access with a **30-day free trial** and subscription use for all users, making secure container images more accessible to **startups and SMBs**...
Docker expands Hardened Images catalog access with near-zero-CVE subscriptions
Security Tool/ServiceAbout this happening: Docker expanded **Hardened Images** access with a **30-day free trial** and subscription use for all users, making secure container images more accessible to **startups and SMBs**...
Timeline
-
09.11.2025 17:11 2 articles · 6mo ago
runC host-escape vulnerabilities disclosed
Initial DisclosureThree vulnerabilities in runC, tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, can let attackers bypass container isolation and gain write access to the underlying host with root privileges in Docker and Kubernetes environments. The flaws involve symlink and bind-mount manipulation, may require custom mount configurations through malicious container images or Dockerfiles, and affect all versions of runC for CVE-2025-31133 and CVE-2025-52881, while CVE-2025-52565 impacts runC versions 1.0.0-rc3 and later. Fixes are available in runC 1.2.8, 1.3.3, 1.4.0-rc.3, and later, no active exploitation in the wild has been reported, and recommended mitigations include monitoring suspicious symlink behavior, activating user namespaces without mapping the host root user, and using rootless containers if possible.
Show sources
- Dangerous runC flaws could allow hackers to escape Docker containers — www.bleepingcomputer.com — 09.11.2025 17:11
- Dangerous runC flaws could allow hackers to escape Docker containers — www.bleepingcomputer.com — 09.11.2025 17:11