CVE-2025-52881

Published Nov 6, 2025

Last updated 3 months ago

CVSS high 7.3
Container Security

Overview

Description
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.
Source
security-advisories@github.com
NVD status
Analyzed
Products
runc

Risk scores

CVSS 4.0

Type
Secondary
Base score
7.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
6
Exploitability score
0.8
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-61

Social media

Hype score
Not currently trending

  1. #VulnerabilityReport #containerescape OCI Fixes Container Escape Vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) https://t.co/MSgAVO9Dle

    @Komodosec

    13 Dec 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. >Here are some of the highlights in Proxmox VE 9.1: >Create LXC containers from OCI images ProxmoxのCTでDockerを使っているとCVE-2025-52881の対策がはいってもうVMに移行するかと思っていたら、なんか面白そうなのがリリースが https

    @fukumen99

    19 Nov 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. SIOSセキュリティブログを更新しました。 runcの脆弱性(Important: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) #sios_tech #security #セキュリティ https://t.co/XvdeohK0hz

    @omokazuki

    17 Nov 2025

    75 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. runcの脆弱性(Important: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) #sios_tech #security #セキュリティ https://t.co/XvdeohK0hz

    @omokazuki

    16 Nov 2025

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. AWSは、runcコンテナに関する重要なセキュリティ問題(CVE-2025-31133、CVE-2025-52565、CVE-2025-52881)を発表しました。注意が必要です。詳細を確認し、適切な対策を講じましょう。 #AWS #セキュリティ https://t.co/ODVmPAHcp

    @OCGOT1616

    11 Nov 2025

    104 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Runc vulnerabilities CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 allow container escape and root access on hosts running Kubernetes and Docker. Patches are available but risks remain with untrusted images. #ContainerSecurity #KubernetesRisk https://t.co/r2svfOK2hp

    @TweetThreatNews

    10 Nov 2025

    37 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 先日発表されたrunc関連のCVEに対するRed Hat製品の修正です。 CVE-2025-31133: https://t.co/ljWeQvJ2L0 CVE-2025-52565: https://t.co/v5ZyUlnKyz CVE-2025-52881: https://t.co/xK6B78zJr5

    @orimanabu

    10 Nov 2025

    83 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 『新たな runc の脆弱性によりコンテナからのエスケープが可能に:CVE-2025-31133、CVE-2025-52565、CVE-2025-52881』 2025年11月5日、SUSE のリサーチャーが 3 つの脆弱性を明らかにしました。 https://t.co/nXa9XLaocc #脆弱性 #CV

    @TakaoShimizu1

    10 Nov 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. oss-sec: runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 https://t.co/5NjEXUU2H4

    @akaclandestine

    9 Nov 2025

    854 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  10. #Kubernetes: Newly disclosed #vulnerabilities in the #runC container runtime used in #Docker & Kubernetes (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) could be exploited to bypass isolation restrictions & get access to the host system (escape): #k8s https://t.co/uS

    @securestep9

    9 Nov 2025

    307 Impressions

    1 Retweet

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. ボケーッとしながら更新してたらこれ踏んだ。 CVE-2025-52881: fd reopening causes issues with AppArmor profiles (`open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied`) · Issue #4968 · opencontainers/runc https://t.co/UUB9Pbna3A

    @rrrrrrrr_ch

    9 Nov 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. New runc vulnerabilities allow container escape: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 https://t.co/VVqkawy1LD

    @jreuben1

    8 Nov 2025

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. AWS released new Amazon Machine Images AMIs for Amazon ECS, AWS Elastic Beanstalk, Bottlerocket on November 5, 2025, to address critical runc security vulnerabilities CVE-2025-31133, CVE-2025-52565, CVE-2025-52881. Customers are strongly recommended to update to versions to fix.

    @ismailriyaz999

    8 Nov 2025

    62 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. runc: Container escapes via procfs writes https://t.co/pDDvCWQtsL CVE-2025-31133: via masked path abuse due to mount race conditions CVE-2025-52565: with malicious config due to /dev/console mount and related races CVE-2025-52881: and DoS due to arbitrary write gadgets and procfs

    @oss_security

    7 Nov 2025

    1070 Impressions

    2 Retweets

    6 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  15. CVE-2025-52881 runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into mi… https://t.co/U4X1esPfJp

    @CVEnew

    6 Nov 2025

    291 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 https://t.co/EF1sO5kbd0

    @ytroncal

    5 Nov 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. 3 new container breakouts in runc CVE-2025-31133 CVE-2025-52565 CVE-2025-52881 - containers don't contain! containers are a security dumpsterfire https://t.co/OLegTlKCXx

    @nanovms

    5 Nov 2025

    303 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2025-15566
  2. A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory.CVE-2026-24514
  3. A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.CVE-2026-24513
  4. A security issue was discovered in ingress-nginx cthe `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2026-24512
  5. A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2026-1580

References

Sources include official advisories and independent security research.