- Three runC flaws could allow container escape and host access with administrator privileges
- Bugs affect Docker/Kubernetes configurations using custom mounts and older versions of runC
- Mitigation includes user namespaces and rootless containers to limit the impact of exploitation.
The runC container runtime, used in both Docker and Kubernetes, had three high-severity vulnerabilities that could be used to access the underlying system, security researchers warned.
Security researcher Aleksa Sarai revealed she discovered CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, three bugs that, when chained together, granted access to the underlying container host with administrator privileges.
runC is a low-level, lightweight container runtime used to create and run containers on Linux systems, essentially making it the component that starts and manages containers on a machine.
There is no evidence of abuse
CVE-2025-31133, with a severity score of 7.3/10 (high), was due to the fact that runc did not perform sufficient checks, leading to information disclosure, denial of service, and even container leaks.
CVE-2025-52565, another insufficient controls flaw, also causes a denial of service. This bug received a score of 8.4/10, while the final one, CVE-2025-52881, was described as a race condition in runc, which allows an attacker to redirect/proc writes via shared mounts. This one received a score of 7.3/10 (high).
To exploit the flaws, attackers would first need to be able to launch containers with custom mounting configurations, the Sysdig researchers noted, emphasizing that this could theoretically be achieved through malicious container images or Dockerfiles.
All three bugs affect versions 1.2.7, 1.3.2, and 1.4.0-rc.2 and were fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.
Fortunately, there are currently no reports of any of the three bugs being actively abused, and runC developers have been sharing mitigation actions, including enabling user namespaces for all containers without mapping the host root user to the container namespace.
“This precaution should block the most important parts of the attack due to Unix DAC permissions that would prevent users with namespaces from accessing relevant files,” he reported, adding that the use of rootless containers is also recommended, as this reduces the potential damage from exploiting the flaws.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
