OCI runc Container Escape Vulnerabilities Allow Host Compromise

Threat: Vulnerability

Targeted Region: Global

Targeted Sector: Technology & IT

Criticality: High

EXECUTIVE SUMMARY:

The OCI for runc addressing three high-severity container escape vulnerabilities that allow a malicious container to manipulate mounts, symlinks or namespaces and thereby affect host kernel interfaces, potentially causing denial-of-service, information disclosure, or privilege escalation. These issues affect runc releases up to 1.2.7, 1.3.2, and 1.4.0-rc.2.

CVE-2025-31133: This flaw arises from how runc implements masked paths: runc bind-mounts a dummy source to hide a host path inside the container, but it does not robustly guarantee the identity of that source before the mount. An attacker inside the container can replace or redirect the dummy so the bind-mount overlays a sensitive host interface, enabling writes or control over host kernel settings and potentially allowing container escape or host disruption. The risk is high: the vulnerability carries a CVSS v4.0 base score of 7.3, reflecting local attack complexity with partial privileges and the ability to cause high-impact confidentiality, integrity, or availability changes on the host.
CVE-2025-52565: This issue targets console allocation and the ordering of mounts: when runc binds a pseudo-TTY to provide a container console, that mount can occur before protections like maskedPaths or readonlyPaths are applied. By exploiting a race or manipulating the pseudo-TTY target, a malicious container can cause runc to bind an unintended host path into the console device, exposing protected host files and enabling actions ranging from denial-of-service to privilege escalation. This vulnerability is assessed similarly severe with a CVSS v4.0 base score of 7.3, indicating an attacker with local access and modest capability can produce high host impact.
CVE-2025-52881: This vulnerability allows redirected writes and namespace manipulation to bypass expected security checks and LSM protections: by controlling mount namespace state and symlinks, an attacker can cause runc’s internal writes to be redirected to unintended host kernel paths, resulting in host configuration corruption, crashes, or opportunities for code execution outside the container boundary. Like the others, it is rated CVSS v4.0 base score 7.3, reflecting a high potential for host compromise from local, privileged container operations.

RECOMMENDATION:

We strongly recommend you update runc to versions 1.2.8, 1.3.3, or 1.4.0-rc.3.

REFERENCES:

The following reports contain further technical details:

https://securityonline.info/oci-fixes-container-escape-vulnerabilities-in-runc-cve-2025-31133-cve-2025-52565-cve-2025-52881/

Recent Advisories

Cisco ISE Vulnerability Enables Unauthenticated Denial-of-Service Attacks

November 7, 2025

NVIDIA NVApp Vulnerability Exposes Windows Systems to Local Privilege Escalation Attacks

November 6, 2025

Critical Unified CCX vulnerabilities allow code execution and administrative control

November 6, 2025

DragonForce Cartel Emerges from the Leaked Source Code of Conti v3 Ransomware

November 6, 2025

OCI runc Container Escape Vulnerabilities Allow Host Compromise

Recent Advisories

Report an Incident