FKIE_CVE-2025-52565

Vulnerability from fkie_nvd - Published: 2025-11-06 20:15 - Updated: 2025-12-03 18:33
Severity ?
7.5 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Summary
runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
References
security-advisories@github.comhttps://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4Patch
security-advisories@github.comhttps://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398Patch
security-advisories@github.comhttps://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2ePatch
security-advisories@github.comhttps://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1dPatch
security-advisories@github.comhttps://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53aPatch
security-advisories@github.comhttps://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64Patch
security-advisories@github.comhttps://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8Patch
security-advisories@github.comhttps://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480Patch
security-advisories@github.comhttps://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7rPatch, Third Party Advisory, Exploit, Mitigation
Impacted products
Vendor Product Version
linuxfoundation runc *
linuxfoundation runc *
linuxfoundation runc 1.0.0
linuxfoundation runc 1.0.0
linuxfoundation runc 1.0.0
linuxfoundation runc 1.0.0
linuxfoundation runc 1.0.0
linuxfoundation runc 1.0.0
linuxfoundation runc 1.0.0
linuxfoundation runc 1.0.0
linuxfoundation runc 1.0.0
linuxfoundation runc 1.0.0
linuxfoundation runc 1.0.0
linuxfoundation runc 1.0.0
linuxfoundation runc 1.0.0
linuxfoundation runc 1.4.0
linuxfoundation runc 1.4.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3282BD30-4E57-4E14-980A-964ACD33820C",
              "versionEndExcluding": "1.2.8",
              "versionStartIncluding": "1.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3193A96-E882-439B-984E-782315C62F69",
              "versionEndExcluding": "1.3.3",
              "versionStartIncluding": "1.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "3E580E25-F94C-4DA4-8718-15D5F1C3ADAF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "FD565CE0-D9E9-4FD9-8998-8AC55030FAB7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "093326B1-448C-4E3B-886D-CAC8B6813BFF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "F672C421-789D-4F21-B483-DA3EB251BA1D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "E13C190A-D7CE-4204-8CEF-B7317D3FFBF9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc8:*:*:*:*:*:*",
              "matchCriteriaId": "15AEA3E2-A82F-4562-AFE6-B83A767B94E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc9:*:*:*:*:*:*",
              "matchCriteriaId": "EB5109FF-7C41-477E-B817-F63F06D866C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc90:*:*:*:*:*:*",
              "matchCriteriaId": "B6B8085F-4B68-47E4-8B4B-FB8C2742EEF4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc91:*:*:*:*:*:*",
              "matchCriteriaId": "978AFEA7-C64F-4B24-B314-4E0E7D5C521A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc92:*:*:*:*:*:*",
              "matchCriteriaId": "A134E568-C11C-4D12-9B61-BFA58A080B96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc93:*:*:*:*:*:*",
              "matchCriteriaId": "6FAC79BA-7A2A-45E3-8806-E2C812991ACC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc94:*:*:*:*:*:*",
              "matchCriteriaId": "151570F5-F04B-4F31-AE6E-F364FC8AC01C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc95:*:*:*:*:*:*",
              "matchCriteriaId": "6208C863-487A-4343-B706-E84703C97116",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.4.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "082E3496-822B-481B-AC2F-DA8DCAFC28FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:runc:1.4.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "71C62E90-6357-44A4-B582-28B1F1D9B16D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3."
    },
    {
      "lang": "es",
      "value": "runc es una herramienta CLI para generar y ejecutar contenedores seg\u00fan la especificaci\u00f3n OCI. Las versiones 1.0.0-rc3 hasta la 1.2.7, 1.3.0-rc.1 hasta la 1.3.2, y 1.4.0-rc.1 hasta la 1.4.0-rc.2, debido a comprobaciones insuficientes al montar por enlace \u0027/dev/pts/$n\u0027 a \u0027/dev/console\u0027 dentro del contenedor, un atacante puede enga\u00f1ar a runc para que monte por enlace rutas que normalmente se har\u00edan de solo lectura o se enmascarar\u00edan en una ruta en la que el atacante pueda escribir. Este ataque es muy similar en concepto y aplicaci\u00f3n a CVE-2025-31133, excepto que ataca una vulnerabilidad similar en un objetivo diferente (es decir, el montaje por enlace de \u0027/dev/pts/$n\u0027 a \u0027/dev/console\u0027 tal como est\u00e1 configurado para todos los contenedores que asignan una consola). Esto ocurre despu\u00e9s de \u0027pivot_root(2)\u0027, por lo que esto no puede usarse para escribir directamente en archivos del host; sin embargo, al igual que con CVE-2025-31133, esto puede llevar a la denegaci\u00f3n de servicio del host o a un escape de contenedor al proporcionar al atacante una copia escribible de \u0027/proc/sysrq-trigger\u0027 o \u0027/proc/sys/kernel/core_pattern\u0027 (respectivamente). Este problema est\u00e1 solucionado en las versiones 1.2.8, 1.3.3 y 1.4.0-rc.3."
    }
  ],
  "id": "CVE-2025-52565",
  "lastModified": "2025-12-03T18:33:33.357",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.4,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-06T20:15:49.240",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory",
        "Exploit",
        "Mitigation"
      ],
      "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-61"
        },
        {
          "lang": "en",
          "value": "CWE-363"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.