Critical runc Vulnerabilities Threaten Docker and Kubernetes Security
Recent discoveries have unveiled three critical vulnerabilities within runc, the container runtime integral to platforms like Docker and Kubernetes. These flaws pose significant risks, potentially allowing attackers to breach container isolation and gain root access to host systems. While no active exploits have been reported, the potential for severe security breaches necessitates immediate attention.
Understanding the runc Vulnerabilities
The identified vulnerabilities exploit specific weaknesses in runc’s handling of container processes:
1. CVE-2025-31133: Exploiting maskedPaths Feature
This vulnerability targets runc’s `maskedPaths` feature, designed to shield sensitive host files from container access. By substituting `/dev/null` with a symbolic link during container creation, attackers can deceive runc into mounting arbitrary host paths. This manipulation allows writing to critical system files, such as `/proc/sys/kernel/core_pattern`, facilitating container escapes.
2. CVE-2025-52565: Manipulating /dev/console Mount Operations
Here, the focus is on the `/dev/console` mount operation during container initialization. Due to insufficient validation, attackers can redirect mounts, gaining write access to protected `procfs` files. This exploit is effective because the mount occurs before `maskedPaths` and `readonlyPaths` protections are properly enforced.
3. CVE-2025-52881: Bypassing Linux Security Modules
This flaw enables attackers to circumvent Linux Security Module (LSM) protections through race conditions involving shared mounts. By redirecting runc writes to counterfeit `procfs` files, attackers can manipulate critical system files like `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern`, potentially leading to system crashes or container escapes.
Affected Versions and Remediation
The vulnerabilities impact various versions of runc:
– CVE-2025-31133 and CVE-2025-52881: Affect all known runc versions.
– CVE-2025-52565: Impacts versions 1.0.0-rc3 and later.
To mitigate these risks, patches have been released in runc versions 1.2.8, 1.3.3, and 1.4.0-rc.3 or later. Organizations utilizing containerized environments are strongly advised to update to these patched versions without delay.
Mitigation Strategies
Beyond updating runc, the Sysdig Threat Research Team recommends additional measures:
– Enable User Namespaces: Implementing user namespaces for all containers restricts access to the `procfs` file system, effectively blocking critical attack vectors.
– Adopt Rootless Containers: Utilizing rootless containers further limits the scope of potential vulnerabilities by reducing the privileges available within the container environment.
Notably, cloud service providers such as AWS, ECS, and EKS have released security updates addressing these vulnerabilities as of November 5, 2025.
Conclusion
The discovery of these critical runc vulnerabilities underscores the importance of proactive security measures in containerized environments. By promptly applying patches and implementing recommended mitigation strategies, organizations can safeguard their systems against potential exploits that threaten container isolation and overall system integrity.
