7.5 CVE-2025-52565
Enriched by CISA Patch Exploit
runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
https://nvd.nist.gov/vuln/detail/CVE-2025-52565
Categories
CWE-61 : UNIX Symbolic Link (Symlink) Following
A product that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.
References
security-advisories@github.com Patch Exploit
AFFECTED (from MITRE)
| Vendor | Product | Versions |
|---|---|---|
| opencontainers | runc |
|
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. | ||
CPE
| cpe | start | end |
|---|---|---|
| Configuration 1 | ||
| cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:* | >= 1.0.1 | < 1.2.8 |
| cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:* | >= 1.3.0 | < 1.3.3 |
| cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.0.0:rc7:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.0.0:rc8:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.0.0:rc9:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.0.0:rc90:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.0.0:rc91:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.0.0:rc92:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.0.0:rc93:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.0.0:rc94:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.0.0:rc95:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.4.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:linuxfoundation:runc:1.4.0:rc2:*:*:*:*:*:* | ||
REMEDIATION
Patch
EXPLOITS
Exploit-db.com
| id | description | date | |
|---|---|---|---|
| No known exploits | |||
POC Github
| Url |
|---|
| No known exploits |
Other Nist (github, ...)
| Url |
|---|
| https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r |
CAPEC
Common Attack Pattern Enumerations and Classifications
| id | description | severity |
|---|---|---|
| 27 | Leveraging Race Conditions via Symbolic Links |
High |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
