Three runc vulnerabilities disclosed on November 5, 2025 can allow container escapes by abusing maskedPaths, /dev/console mount races, and procfs write redirection, though no active exploits were identified at publication. Recommended mitigations include updating runc to fixed versions, enabling user namespaces, and using rootless containers. #CVE-2025-31133 #CVE-2025-52565
Keypoints
- Three distinct vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) can enable container escape by allowing writes to host procfs files.
- CVE-2025-31133 abuses maskedPaths and /dev/null symlink replacement to mount arbitrary host paths into containers and write to files like /proc/sys/kernel/core_pattern.
- CVE-2025-52565 exploits mount race conditions involving /dev/pts/$n and /dev/console during container init to bypass maskedPaths and readonlyPaths protections.
- CVE-2025-52881 enables LSM label bypass and arbitrary writes by redirecting runc writes to fake procfs files via shared-mount race conditions, affecting all /proc writes including sysctls and security labels.
- All known runc versions were affected, with fixes provided in runc 1.2.8, 1.3.3, 1.4.0-rc.3 and later; some vulnerabilities only affect runc >=1.0.0-rc3.
- Detection is possible with Sysdig Secure and Falco by monitoring suspicious symlink creation over procfs files; Sysdig provided an experimental Falco rule to detect relevant activity.
- Immediate mitigations: update runc to fixed versions, enable user namespaces, prefer rootless containers, and apply vendor platform patches (AWS, ECS, EKS, etc.).
MITRE Techniques
- [T1610] Exploit Public-Facing Application – runc flaws exploited during container creation to mount or redirect files and gain host access (“…by replacing /dev/null with a symlink during container creation, attackers can trick runc into mounting arbitrary host paths into the container.”).
- [T1218] Abuse Elevation Control Mechanism: Sudo and Sudo Caching (analogous technique: abusing system mount operations and procfs writes to elevate privileges) – attackers redirect mounts and procfs writes to modify sensitive host files like /proc/sys/kernel/core_pattern (“…enables writing to critical files, such as /proc/sys/kernel/core_pattern, to escape the container.”).
- [T1090] Exploitation for Defense Evasion (Mount/LSM bypass) – race conditions and shared-mount manipulation bypass LSM labels and protections to hide or redirect forbidden writes (“…allows redirecting runc writes to /proc files using a race condition with shared mounts… bypass Linux Security Module (LSM) labels…”).
- [T1553] Create or Modify System Process (via procfs manipulation) – attacker-controlled writes to procfs/sysctl files (e.g., /proc/sysrq-trigger) to trigger denial-of-service or other host-impacting behavior (“…redirect sysctl writes containing arbitrary text to dangerous files like /proc/sysrq-trigger… that can crash the system or escape the container.”).
Indicators of Compromise
- [Symlink creations] Suspicious symlink behavior indicating attempts to replace /dev/null or redirect mounts – examples: symlink targeting “/proc/sys/kernel/core_pattern” with linkpath containing “/dev/null”; symlink targeting “/proc/sysrq-trigger” with linkpath starting with “/dev/pts/”.
- [Software versions] Vulnerable runc versions observed in inventory scans – affected: all known versions (general), specifically runc versions before 1.2.8/1.3.3/1.4.0-rc.3; affected range noted for one CVE: “runc versions 1.0.0-rc3 and later”.
Read more: https://www.sysdig.com/blog/runc-container-escape-vulnerabilities