CVE-2025-52565

runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4	Patch
https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398	Patch
https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e	Patch
https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d	Patch
https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a	Patch
https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64	Patch
https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8	Patch
https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480	Patch
https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r	Patch Third Party Advisory Exploit Mitigation

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:linuxfoundation:runc::::::::
	cpe:2.3:a:linuxfoundation:runc::::::::
	cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3::::::
	cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4::::::
	cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5::::::
	cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6::::::
	cpe:2.3:a:linuxfoundation:runc:1.0.0:rc7::::::
	cpe:2.3:a:linuxfoundation:runc:1.0.0:rc8::::::
	cpe:2.3:a:linuxfoundation:runc:1.0.0:rc9::::::
	cpe:2.3:a:linuxfoundation:runc:1.0.0:rc90::::::
	cpe:2.3:a:linuxfoundation:runc:1.0.0:rc91::::::
	cpe:2.3:a:linuxfoundation:runc:1.0.0:rc92::::::
	cpe:2.3:a:linuxfoundation:runc:1.0.0:rc93::::::
	cpe:2.3:a:linuxfoundation:runc:1.0.0:rc94::::::
	cpe:2.3:a:linuxfoundation:runc:1.0.0:rc95::::::
	cpe:2.3:a:linuxfoundation:runc:1.4.0:rc1::::::
	cpe:2.3:a:linuxfoundation:runc:1.4.0:rc2::::::

History

03 Dec 2025, 18:33

Type	Values Removed	Values Added
First Time		Linuxfoundation Linuxfoundation runc
CPE		cpe:2.3:a:linuxfoundation:runc:1.0.0:rc8:::::: cpe:2.3:a:linuxfoundation:runc:1.0.0:rc95:::::: cpe:2.3:a:linuxfoundation:runc:1.4.0:rc1:::::: cpe:2.3:a:linuxfoundation:runc:::::::: cpe:2.3:a:linuxfoundation:runc:1.0.0:rc7:::::: cpe:2.3:a:linuxfoundation:runc:1.0.0:rc93:::::: cpe:2.3:a:linuxfoundation:runc:1.0.0:rc94:::::: cpe:2.3:a:linuxfoundation:runc:1.0.0:rc90:::::: cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:::::: cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:::::: cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:::::: cpe:2.3:a:linuxfoundation:runc:1.4.0:rc2:::::: cpe:2.3:a:linuxfoundation:runc:1.0.0:rc92:::::: cpe:2.3:a:linuxfoundation:runc:1.0.0:rc9:::::: cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:::::: cpe:2.3:a:linuxfoundation:runc:1.0.0:rc91::::::
References	~~() https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4 -~~	() https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4 - Patch
References	~~() https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398 -~~	() https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398 - Patch
References	~~() https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e -~~	() https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e - Patch
References	~~() https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d -~~	() https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d - Patch
References	~~() https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a -~~	() https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a - Patch
References	~~() https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64 -~~	() https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64 - Patch
References	~~() https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8 -~~	() https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8 - Patch
References	~~() https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480 -~~	() https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480 - Patch
References	~~() https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r -~~	() https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r - Patch, Third Party Advisory, Exploit, Mitigation
Summary		(es) runc es una herramienta CLI para generar y ejecutar contenedores según la especificación OCI. Las versiones 1.0.0-rc3 hasta la 1.2.7, 1.3.0-rc.1 hasta la 1.3.2, y 1.4.0-rc.1 hasta la 1.4.0-rc.2, debido a comprobaciones insuficientes al montar por enlace '/dev/pts/$n' a '/dev/console' dentro del contenedor, un atacante puede engañar a runc para que monte por enlace rutas que normalmente se harían de solo lectura o se enmascararían en una ruta en la que el atacante pueda escribir. Este ataque es muy similar en concepto y aplicación a CVE-2025-31133, excepto que ataca una vulnerabilidad similar en un objetivo diferente (es decir, el montaje por enlace de '/dev/pts/$n' a '/dev/console' tal como está configurado para todos los contenedores que asignan una consola). Esto ocurre después de 'pivot_root(2)', por lo que esto no puede usarse para escribir directamente en archivos del host; sin embargo, al igual que con CVE-2025-31133, esto puede llevar a la denegación de servicio del host o a un escape de contenedor al proporcionar al atacante una copia escribible de '/proc/sysrq-trigger' o '/proc/sys/kernel/core_pattern' (respectivamente). Este problema está solucionado en las versiones 1.2.8, 1.3.3 y 1.4.0-rc.3.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

06 Nov 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-06 20:15

Updated : 2025-12-03 18:33

NVD link : CVE-2025-52565

Mitre link : CVE-2025-52565

CVE.ORG link : CVE-2025-52565

JSON object : View

Products Affected

linuxfoundation

runc

CWE

CWE-61

UNIX Symbolic Link (Symlink) Following

CWE-363

Race Condition Enabling Link Following

7.5 /10