Three newly discovered vulnerabilities in the runC container runtime could allow attackers to break out of container isolation and gain root access to the host system. These flaws, tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, exploit the way runC handles bind mounts and symbolic links during container initialization. As the core runtime underpinning Docker and Kubernetes, a successful exploit would compromise the security boundaries that containers are designed to enforce.
The vulnerabilities enable an attacker to manipulate mount points, redirecting them to critical host system files like those in the /proc directory. This manipulation can result in unauthorized write access, potentially allowing commands to be executed on the underlying host. Exploitation requires the ability to start containers with custom mount configurations, which can be achieved through malicious images or Dockerfiles.
While there are no current reports of active exploitation, fixes are available in runC versions 1.2.8, 1.3.3, and 1.4.0-rc.3 or later. Recommended mitigations include activating user namespaces without mapping the host root user and, where feasible, using rootless containers to limit potential damage. Monitoring for suspicious symlink activity can also help detect attempted exploits of these dangerous flaws.
Read more...