Three newly disclosed vulnerabilities within the runC container runtime utilized in Docker and Kubernetes may very well be exploited to bypass isolation restrictions and get entry to the host system.
The security points, tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 (all ), have been reported this week and disclosed by SUSE software program engineer and Open Container Initiative (OCI) board member Aleksa Sarai.
runC is a common container runtime and the OCI reference implementation for working containers. It’s answerable for low-level operations reminiscent of creating the container course of, establishing namespaces, mounts, and cgroups that higher-level instruments, like Docker and Kubernetes, can name.
An attacker exploiting the vulnerabilities might acquire write entry to the underlying container host with root privileges:
- CVE-2025-31133 — runC makes use of /dev/null bind-mounts to “masks” delicate host information. If an attacker replaces /dev/null with a symlink throughout container init, runc can find yourself bind-mounting an attacker-controlled goal read-write into the container — enabling writes to /proc, and container escape.
- CVE-2025-52565 — The /dev/console bind mount may be redirected through races/symlinks in order that runc mounts an sudden goal into the container earlier than protections are utilized. That once more can expose writable entry to essential procfs entries and allow breakouts.
- CVE-2025-52881 — runC may be tricked into performing writes to /proc which might be redirected to attacker-controlled targets. It will probably bypass LSM relabel protections in some variants and turns peculiar runc writes into arbitrary writes to harmful information like /proc/sysrq-trigger.
CVE-2025-31133 and CVE-2025-52881 have an effect on all variations of runC, whereas CVE-2025-52565 impacts runC variations 1.0.0-rc3 and later. Fixes can be found in runC variations 1.2.8, 1.3.3, 1.4.0-rc.3, and later.
Exploitability and threat
Researchers at cloud security firm Sysdig word that exploiting the three vulnerabilities “require the flexibility to start out containers with customized mount configurations,” which an attacker can obtain by way of malicious container photos or Dockerfiles.
At the moment, there have been no experiences of any of the issues being actively exploited within the wild.
In an advisory this week, Sysdig shares that makes an attempt to use any of the three security points may be detected by monitoring suspicious symlink behaviors.
RunC builders additionally shared mitigation actions, which embody activating consumer namespaces for all containers with out mapping the host root consumer into the container’s namespace.
This precaution ought to block crucial components of the assault due to the Unix DAC permissions that will stop namespaced customers from accessing related information.
Sysdig additionally recommends utilizing rootless containers, if potential, to cut back the potential harm from exploiting a vulnerability.
It is price range season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, determine rising traits, and examine their priorities as they head into 2026.
Learn the way prime leaders are turning funding into measurable affect.
