{"id":8327,"date":"2025-11-10T10:03:53","date_gmt":"2025-11-10T10:03:53","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/11\/10\/critical-runc-vulnerabilities-put-docker-and-kubernetes-container-isolation-at-risk\/"},"modified":"2025-11-10T10:03:53","modified_gmt":"2025-11-10T10:03:53","slug":"critical-runc-vulnerabilities-put-docker-and-kubernetes-container-isolation-at-risk","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/11\/10\/critical-runc-vulnerabilities-put-docker-and-kubernetes-container-isolation-at-risk\/","title":{"rendered":"Critical runc Vulnerabilities Put Docker and Kubernetes Container Isolation at Risk"},"content":{"rendered":"<p>    Critical runc Vulnerabilities Put Docker and Kubernetes Container Isolation at Risk<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Three critical vulnerabilities in runc, the container runtime powering Docker, Kubernetes, and other containerization platforms.<\/p>\n<p>These flaws could allow attackers to escape container isolation and gain root access to host systems. However, no active exploits have been detected yet.<\/p>\n<p>The <a href=\"https:\/\/cybersecuritynews.com\/django-vulnerabilities-sql-injection-and-dos-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">vulnerabilities<\/a> leverage race mount conditions and procfs write redirects to break out of container boundaries.<\/p>\n<p>Attackers need the ability to start containers with custom <a href=\"https:\/\/cybersecuritynews.com\/linux-systems-noexec-bypass\/\" target=\"_blank\" rel=\"noreferrer noopener\">mount<\/a> configurations, making malicious container images and Dockerfiles the primary attack vectors.<\/p>\n<p>The Sysdig Threat Research Team analyzed all three vulnerabilities and provided detailed mitigation recommendations for affected organizations worldwide.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-runc-vulnerabilities-lead-to-container-isolation\">\n<strong>runc Vulnerabilities<\/strong> <strong>Lead to Container Isolation<\/strong><br \/>\n<\/h2>\n<p>CVE-2025-31133\u00a0exploits weaknesses in runc\u2019s maskedPaths feature, which protects sensitive host files from container access.<\/p>\n<p>By replacing \/dev\/null with a symlink during container creation, attackers can trick runc into mounting <a href=\"https:\/\/cybersecuritynews.com\/docker-compose-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">arbitrary<\/a> host paths and writing to critical system files, such as \/proc\/sys\/kernel\/core_pattern, thereby enabling container escape.<\/p>\n<p>CVE-2025-52565\u00a0targets the \/dev\/console mount operation during container initialization.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgP_H95a4rm7tFvi16jdKgeFuOICsPi4oFoVUaI3KFF-3q9QuoCaLscU_aQzLLcXugn8GqEgAgs3JJpjd4f2a1FtQIpE8nQu3e82RIpgCmDNpRp4t9LDejhJceunRzwy52mCfQ5PwjWbiT6NAhXHRjvpJID0Hv-E8EmMPmQuPJ75CcE8I0YwepHd5_2XdM\/s1600\/Screenshot%25202025-11-10%2520121547%2520%25281%2529.webp?ssl=1\" alt=\"multiple vulnerabilities in runc\"><figcaption class=\"wp-element-caption\">multiple vulnerabilities in runc<\/figcaption><\/figure>\n<p>Insufficient validation allows attackers to redirect mounts and gain write access to protected procfs files.<\/p>\n<p>The attack succeeds because the mount happens before maskedPaths and readonlyPaths protections are correctly applied.<\/p>\n<p>CVE-2025-52881\u00a0enables attackers to bypass <a href=\"https:\/\/cybersecuritynews.com\/linux-security-essentials\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux Security<\/a> Module protections through race conditions with shared mounts.<\/p>\n<p>Attackers can redirect runc writes to fake procfs files and manipulate dangerous system files such as\/proc\/sysrq-trigger or \/proc\/sys\/kernel\/core_pattern, potentially crashing systems or escaping from containers.<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>CVE ID<\/th>\n<th>Vulnerability Type<\/th>\n<th>Affected Versions<\/th>\n<th>Fixed Versions<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>CVE-2025-31133<\/td>\n<td>Container escape via maskedPaths abuse<\/td>\n<td>All known versions<\/td>\n<td>1.2.8, 1.3.3, 1.4.0-rc.3+<\/td>\n<\/tr>\n<tr>\n<td>CVE-2025-52565<\/td>\n<td>Container escape via \/dev\/console mount races<\/td>\n<td>1.0.0-rc3 and later<\/td>\n<td>1.2.8, 1.3.3, 1.4.0-rc.3+<\/td>\n<\/tr>\n<tr>\n<td>CVE-2025-52881<\/td>\n<td>LSM bypass and arbitrary write gadgets<\/td>\n<td>All known versions<\/td>\n<td>1.2.8, 1.3.3, 1.4.0-rc.3+<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"h-affected-versions-and-patches\"><strong>Affected Versions and Patches<\/strong><\/h2>\n<p>CVE-2025-31133 and CVE-2025-52881 impact all known runc versions, while CVE-2025-52565 affects versions 1.0.0-rc3 and later.<\/p>\n<p>All three vulnerabilities are <a href=\"https:\/\/cybersecuritynews.com\/microsoft-october-2025-patch-tuesday\/\">patched<\/a> in runc versions 1.2.8, 1.3.3, and 1.4.0-rc.3 or later.<\/p>\n<p>Organizations using containerized environments should immediately update Runc to patched versions.<\/p>\n<p>The Sysdig Threat Research Team <a href=\"https:\/\/www.sysdig.com\/blog\/runc-container-escape-vulnerabilities\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">recommends<\/a> enabling user namespaces for all containers, which blocks critical attack vectors by restricting access to the procfs file system.<\/p>\n<p>Using rootless containers further limits the scope of vulnerability. Cloud providers, including AWS, ECS, and EKS, released security updates on November 5, 2025.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/runc-tool-vulnerability\/\">Critical runc Vulnerabilities Put Docker and Kubernetes Container Isolation at Risk<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/runc-tool-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Critical runc Vulnerabilities Put Docker and Kubernetes Container Isolation at Risk Three critical vulnerabilities in runc, the container runtime powering Docker, Kubernetes, and other containerization platforms. These flaws could allow attackers to escape container isolation and gain root access to host systems. However, no active exploits have been detected yet. The vulnerabilities leverage race mount [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-8327","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8327"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8327"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8327\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8327"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8327"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}