Three severe vulnerabilities in runc, the container runtime powering Docker and Kubernetes, enable attackers to break container isolation and achieve root access on host systems.
The flaws were disclosed by a SUSE researcher on November 5, 2025, affecting containerized environments worldwide.
The three CVEs—CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881—exploit weaknesses in runc’s mount operations and file protections during container creation.
Attackers can leverage race conditions and symbolic link manipulation to bypass security restrictions, gaining the ability to write to critical system files that facilitate container escape.
| CVE ID | Affected Versions | Fixed Versions |
|---|---|---|
| CVE-2025-31133 | All known versions | 1.2.8, 1.3.3, 1.4.0-rc.3+ |
| CVE-2025-52565 | 1.0.0-rc3 and later | 1.2.8, 1.3.3, 1.4.0-rc.3+ |
| CVE-2025-52881 | All known versions | 1.2.8, 1.3.3, 1.4.0-rc.3+ |
Attack Vectors and Technical Details
The most likely attack vector involves malicious container images or Dockerfiles with custom mount configurations.
Each vulnerability works differently to circumvent container security.
CVE-2025-31133 targets the maskedPaths feature, which prevents containers from accessing sensitive host files.
Attackers replace /dev/null with a symbolic link during container creation, tricking runc into mounting arbitrary host paths.
This allows writes to critical files like /proc/sys/kernel/core_pattern, enabling system compromise.
CVE-2025-52565 exploits insufficient validation during /dev/pts/$n mounting to /dev/console. The vulnerability permits attackers to redirect mounts before security protections activate, granting unauthorized write access to protected procfs files.
This bypass undermines container isolation boundaries.
CVE-2025-52881 abuses race conditions with shared mounts to redirect runc writes to /proc files. Attackers can manipulate dangerous system files such as /proc/sysrq-trigger, potentially crashing systems or enabling container escape through privilege escalation.
Organizations running Docker, Kubernetes, or any services using runc must upgrade immediately to patched versions 1.2.8, 1.3.3, or 1.4.0-rc.3 and later.
The widespread use of runc across containerized infrastructure makes these vulnerabilities particularly dangerous.
Container operators should audit deployed environments for suspicious mount configurations and monitor for container escape attempts.
Additionally, organizations should implement strict image scanning policies to detect malicious Dockerfiles attempting these exploitation techniques.
These vulnerabilities underscore the critical importance of container runtime security and the need for rapid patching cycles in container infrastructure.
DevOps teams should prioritize updating runc across all systems to prevent potential compromise of containerized applications and underlying host systems.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1068,580&ssl=1&description=The flaws were disclosed by a SUSE researcher on November 5, 2025, affecting containerized environments worldwide.){kind=link}