- Three runC flaws could allow container escape and host access with admin privileges
- Bugs affect Docker/Kubernetes setups using custom mounts and older runC versions
- Mitigation includes user namespaces and rootless containers to limit exploit impact
The runC container runtime, used in both Docker and Kubernetes, carried three high-severity vulnerabilities that could be used to access the underlying system, security researchers have warned.
Security researcher Aleksa Sarai disclosed discovering CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, three bugs that, when chained together, granted access to the underlying container host with admin privileges.
runC is a lightweight, low-level container runtime used to create and run containers on Linux systems - making it basically the component that starts and manages containers on a machine.
No evidence of abuse
CVE-2025-31133, with a severity score of 7.3/10 (high), stemmed from the fact that runc wouldn't perform sufficient verifications, leading to information disclosure, denial of service, and even container escape.
CVE-2025-52565, another insufficient checks flaw, also leads to denial of service. This bug was given a 8.4/10 score, while the final, CVE-2025-52881, was described as a race condition in runc, allowing an attacker to redirect /proc writes via shared mounts. This one was given a score of 7.3/10 (high).
To abuse the flaws, the attackers would first need to be able to start containers with custom mount configurations, researchers from Sysdig noted, stressing that, in theory, it could be achieved through malicious container images or Dockerfiles.
All three bugs are affecting versions 1.2.7, 1.3.2 and 1.4.0-rc.2, and were fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.
Fortunately, there are currently no reports of any of the three bugs being actively abused in the wild, and runC developers have been sharing mitigation actions, including activating user namespaces for all containers without mapping the host root user into the container’s namespace.
“This precaution should block the most important parts of the attack because of the Unix DAC permissions that would prevent namespaced users from accessing relevant files,” it reported, adding that using rootless containers is also recommended, since this reduces the potential damage from exploiting the flaws.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
