- Three runC errors could allow container escape and host access with administrator privileges
- Bugs affect Docker/Kubernetes setups using custom mounts and older runC versions
- Mitigation includes user namespaces and rootless containers to limit exploitation impact
The RunC container runtime used in both Docker and Kubernetes contained three serious vulnerabilities that could be used to gain access to the underlying system, security researchers have warned.
Security researcher Aleksa Sarai disclosed the discovery of CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, three flaws that, when chained together, allowed access to the underlying container host with administrative privileges.
runC is a lightweight, low-level container runtime used to create and run containers on Linux systems – making it basically the component that starts and manages containers on a machine.
No evidence of abuse
CVE-2025-31133, with a severity rating of 7.3/10 (high), stemmed from the fact that runc would not perform sufficient verifications, leading to information disclosure, denial of service attacks, and even container escape.
CVE-2025-52565, another insufficient control flaw, also leads to denial of service attacks. This bug received an 8.4/10 score, while the final, CVE-2025-52881, was described as a race condition in runc, which allows an attacker to redirect /proc writes via shared mounts. This got a score of 7.3/10 (high).
To exploit the flaws, attackers would first need to be able to launch containers with custom mount configurations, Sysdig researchers noted, stressing that this could theoretically be achieved through malicious container images or Dockerfiles.
All three bugs affect versions 1.2.7, 1.3.2 and 1.4.0-rc.2 and were fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
Fortunately, there are currently no reports of any of the three bugs being actively exploited in the wild, and runC developers have shared mitigations, including enabling user namespaces for all containers without mapping the host root user to the container namespace.
“This precaution should block the most important parts of the attack due to the Unix DAC permissions that would prevent name-spaced users from accessing relevant files,” it reported, adding that using rootless containers is also recommended, as this reduces the potential damage from exploiting the flaws.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
