Note
Some vendors were given a pre-release version of this release.
This public release includes two extra patches to fix regressions
discovered very late during the embargo period and were thus not
included in the pre-release versions. Please update to this version.
This release contains fixes for three high-severity security
vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and
CVE-2025-52881). All three vulnerabilities ultimately allow (through
different methods) for full container breakouts by bypassing runc's
restrictions for writing to arbitrary /proc files.
Security
-
CVE-2025-31133 exploits an issue with how masked paths are implemented in
runc. When masking files, runc will bind-mount the container's/dev/null
inode on top of the file. However, if an attacker can replace/dev/null
with a symlink to some other procfs file, runc will instead bind-mount the
symlink target read-write. This issue affected all known runc versions. -
CVE-2025-52565 is very similar in concept and application to
CVE-2025-31133, except that it exploits a flaw in/dev/console
bind-mounts. When creating the/dev/consolebind-mount (to/dev/pts/$n),
if an attacker replaces/dev/pts/$nwith a symlink then runc will
bind-mount the symlink target over/dev/console. This issue affected all
versions of runc >= 1.0.0-rc3. -
CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921,
which was a flaw that allowed an attacker to trick runc into writing the LSM
process labels for a container process into a dummy tmpfs file and thus not
apply the correct LSM labels to the container process. The mitigation we
applied for CVE-2019-19921 was fairly limited and effectively only caused
runc to verify that when we write LSM labels that those labels are actual
procfs files. This issue affects all known runc versions.
Added
Static Linking Notices
The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following contributors for making this release possible:
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai cyphar@cyphar.com
- Kir Kolyshkin kolyshkin@gmail.com
- Lei Wang ssst0n3@gmail.com
- Li Fubang lifubang@acmcoder.com
- Rodrigo Campos rodrigoca@microsoft.com
- Tõnis Tiigi tonistiigi@gmail.com
Signed-off-by: Aleksa Sarai cyphar@cyphar.com