CVE-2025-52565
runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting /dev/pts/$n to /dev/console inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of /dev/pts/$n to /dev/console as configured for all containers that allocate a console). This happens after pivot_root(2), so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of /proc/sysrq-trigger or /proc/sys/kernel/core_pattern (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
| Software | From | Fixed in |
|---|---|---|
github.com/opencontainers/runc
|
1.0.0-rc3 | 1.2.8 |
|
github.com/opencontainers/runc
|
1.3.0-rc.1 | 1.3.3 |
|
github.com/opencontainers/runc
|
1.4.0-rc.1 | 1.4.0-rc.3 |
| linuxfoundation / runc | 1.0.1 | 1.2.8 |
| linuxfoundation / runc | 1.3.0 | 1.3.3 |
| linuxfoundation / runc | 1.0.0-rc3 | 1.0.0-rc3.x |
| linuxfoundation / runc | 1.0.0-rc4 | 1.0.0-rc4.x |
| linuxfoundation / runc | 1.0.0-rc5 | 1.0.0-rc5.x |
| linuxfoundation / runc | 1.0.0-rc6 | 1.0.0-rc6.x |
| linuxfoundation / runc | 1.0.0-rc7 | 1.0.0-rc7.x |
| linuxfoundation / runc | 1.0.0-rc8 | 1.0.0-rc8.x |
| linuxfoundation / runc | 1.0.0-rc9 | 1.0.0-rc9.x |
| linuxfoundation / runc | 1.0.0-rc90 | 1.0.0-rc90.x |
| linuxfoundation / runc | 1.0.0-rc91 | 1.0.0-rc91.x |
| linuxfoundation / runc | 1.0.0-rc92 | 1.0.0-rc92.x |
| linuxfoundation / runc | 1.0.0-rc93 | 1.0.0-rc93.x |
| linuxfoundation / runc | 1.0.0-rc94 | 1.0.0-rc94.x |
| linuxfoundation / runc | 1.0.0-rc95 | 1.0.0-rc95.x |
| linuxfoundation / runc | 1.4.0-rc1 | 1.4.0-rc1.x |
| linuxfoundation / runc | 1.4.0-rc2 | 1.4.0-rc2.x |
- https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4
- https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398
- https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e
- https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d
- https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a
- https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64
- https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8
- https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480
- https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime