- Three runC flaws might enable container escape and host entry with admin privileges
- Bugs have an effect on Docker/Kubernetes setups utilizing customized mounts and older runC variations
- Mitigation consists of person namespaces and rootless containers to restrict exploit influence
The runC container runtime, utilized in each Docker and Kubernetes, carried three high-severity vulnerabilities that could possibly be used to entry the underlying system, safety researchers have warned.
Safety researcher Aleksa Sarai disclosed discovering CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, three bugs that, when chained collectively, granted entry to the underlying container host with admin privileges.
runC is a lightweight, low-level container runtime used to create and run containers on Linux systems – making it basically the component that starts and manages containers on a machine.
No evidence of abuse
CVE-2025-31133, with a severity score of 7.3/10 (high), stemmed from the fact that runc wouldn’t perform sufficient verifications, leading to information disclosure, denial of service, and even container escape.
CVE-2025-52565, one other inadequate checks flaw, additionally results in denial of service. This bug was given a 8.4/10 rating, whereas the ultimate, CVE-2025-52881, was described as a race situation in runc, permitting an attacker to redirect /proc writes by way of shared mounts. This one was given a rating of seven.3/10 (excessive).
To abuse the issues, the attackers would first want to have the ability to begin containers with customized mount configurations, researchers from Sysdig famous, stressing that, in principle, it could possibly be achieved via malicious container photos or Dockerfiles.
All three bugs are affecting variations 1.2.7, 1.3.2 and 1.4.0-rc.2, and had been mounted in variations 1.2.8, 1.3.3, and 1.4.0-rc.3.
Luckily, there are at the moment no experiences of any of the three bugs being actively abused within the wild, and runC builders have been sharing mitigation actions, together with activating person namespaces for all containers with out mapping the host root person into the container’s namespace.
“This precaution ought to block crucial elements of the assault due to the Unix DAC permissions that will forestall namespaced customers from accessing related information,” it reported, including that utilizing rootless containers can be advisable, since this reduces the potential harm from exploiting the issues.
Through BleepingComputer
One of the best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our professional information, evaluations, and opinion in your feeds. Be certain to click on the Comply with button!
And naturally it’s also possible to follow TechRadar on TikTok for information, evaluations, unboxings in video kind, and get common updates from us on WhatsApp too.
