- Three runC flaws could allow container escape and host access with administrator privileges
- Bugs affect Docker/Kubernetes setups using custom mounts and older versions of RunC
- Mitigation includes user namespaces and rootless containers to limit the impact of exploits.
The runC container runtime, used in both Docker and Kubernetes, had three high-severity vulnerabilities that could be used to access the underlying system, security researchers warned.
Security researcher Aleksa Sarai revealed that she discovered CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, three bugs that, when chained together, granted access to the underlying container host with administrator privileges.
runC is a lightweight, low-level container runtime used to create and run containers on Linux systems, essentially making it the component that starts and manages containers on a machine.
No evidence of abuse
CVE-2025-31133, with a severity score of 7.3/10 (high), stemmed from runc not performing enough checks, leading to information disclosure, denial of service, and even a container leak.
CVE-2025-52565, another insufficient control flaw, also leads to a denial of service. This bug was rated 8.4/10, while the last one, CVE-2025-52881, was described as a race condition in runc, allowing an attacker to redirect /proc writes via shared mounts. This one got a rating of 7.3/10 (high).
To exploit these flaws, attackers would first need to be able to start containers with custom mount configurations, the Sysdig researchers noted, pointing out that in theory this could be achieved via malicious container images or Dockerfiles.
All three bugs affect versions 1.2.7, 1.3.2 and 1.4.0-rc.2 and have been fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
Fortunately, there are currently no reports of active abuse in the nature of the three bugs, and runC developers have shared mitigations, including enabling user namespaces for all containers without mapping the host root user to the container namespace.
“This precaution should block the most important parts of the attack due to Unix DAC permissions which would prevent namespaced users from accessing relevant files,” he reported, adding that using rootless containers is also recommended, as this reduces the potential damage from exploiting the flaws.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
