csaf_redhat - rhsa-2025:21824

rhsa-2025:21824

Vulnerability from csaf_redhat

Published

2025-11-27 11:08

Modified

2025-11-27 17:38

Summary

Red Hat Security Advisory: OpenShift Container Platform 4.16.53 bug fix and security update

Notes

Topic

Red Hat OpenShift Container Platform release 4.16.53 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.16. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.16.53. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/156371 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/release_notes/ Security Fix(es): * runc: container escape via 'masked path' abuse due to mount race conditions (CVE-2025-31133) * runc: container escape with malicious config due to /dev/console mount and related races (CVE-2025-52565) * runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects (CVE-2025-52881) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html-single/updating_clusters/index#updating-cluster-cli.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat OpenShift Container Platform release 4.16.53 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.16.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the container images for Red Hat OpenShift Container Platform 4.16.53. See the following advisory for the RPM packages for this release:\n\nhttps://access.redhat.com/errata/156371\n\nSpace precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/release_notes/\n\nSecurity Fix(es):\n\n* runc: container escape via \u0027masked path\u0027 abuse due to mount race conditions (CVE-2025-31133)\n* runc: container escape with malicious config due to /dev/console mount and related races (CVE-2025-52565)\n* runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects (CVE-2025-52881)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html-single/updating_clusters/index#updating-cluster-cli.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:21824",
        "url": "https://access.redhat.com/errata/RHSA-2025:21824"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2404705",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404705"
      },
      {
        "category": "external",
        "summary": "2404708",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404708"
      },
      {
        "category": "external",
        "summary": "2404715",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404715"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_21824.json"
      }
    ],
    "title": "Red Hat Security Advisory: OpenShift Container Platform 4.16.53 bug fix and security update",
    "tracking": {
      "current_release_date": "2025-11-27T17:38:15+00:00",
      "generator": {
        "date": "2025-11-27T17:38:15+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.13"
        }
      },
      "id": "RHSA-2025:21824",
      "initial_release_date": "2025-11-27T11:08:51+00:00",
      "revision_history": [
        {
          "date": "2025-11-27T11:08:51+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-11-27T11:08:51+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-27T17:38:15+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift Container Platform 4.16",
                "product": {
                  "name": "Red Hat OpenShift Container Platform 4.16",
                  "product_id": "9Base-RHOSE-4.16",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:4.16::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhcos-aarch64-416.94.202511191934-0",
                "product": {
                  "name": "rhcos-aarch64-416.94.202511191934-0",
                  "product_id": "rhcos-aarch64-416.94.202511191934-0",
                  "product_identification_helper": {
                    "purl": "pkg:generic/redhat/rhcos@416.94.202511191934?arch=aarch64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhcos-ppc64le-416.94.202511191934-0",
                "product": {
                  "name": "rhcos-ppc64le-416.94.202511191934-0",
                  "product_id": "rhcos-ppc64le-416.94.202511191934-0",
                  "product_identification_helper": {
                    "purl": "pkg:generic/redhat/rhcos@416.94.202511191934?arch=ppc64le"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhcos-s390x-416.94.202511191934-0",
                "product": {
                  "name": "rhcos-s390x-416.94.202511191934-0",
                  "product_id": "rhcos-s390x-416.94.202511191934-0",
                  "product_identification_helper": {
                    "purl": "pkg:generic/redhat/rhcos@416.94.202511191934?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhcos-x86_64-416.94.202511191934-0",
                "product": {
                  "name": "rhcos-x86_64-416.94.202511191934-0",
                  "product_id": "rhcos-x86_64-416.94.202511191934-0",
                  "product_identification_helper": {
                    "purl": "pkg:generic/redhat/rhcos@416.94.202511191934?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhcos-aarch64-416.94.202511191934-0 as a component of Red Hat OpenShift Container Platform 4.16",
          "product_id": "9Base-RHOSE-4.16:rhcos-aarch64-416.94.202511191934-0"
        },
        "product_reference": "rhcos-aarch64-416.94.202511191934-0",
        "relates_to_product_reference": "9Base-RHOSE-4.16"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhcos-ppc64le-416.94.202511191934-0 as a component of Red Hat OpenShift Container Platform 4.16",
          "product_id": "9Base-RHOSE-4.16:rhcos-ppc64le-416.94.202511191934-0"
        },
        "product_reference": "rhcos-ppc64le-416.94.202511191934-0",
        "relates_to_product_reference": "9Base-RHOSE-4.16"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhcos-s390x-416.94.202511191934-0 as a component of Red Hat OpenShift Container Platform 4.16",
          "product_id": "9Base-RHOSE-4.16:rhcos-s390x-416.94.202511191934-0"
        },
        "product_reference": "rhcos-s390x-416.94.202511191934-0",
        "relates_to_product_reference": "9Base-RHOSE-4.16"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhcos-x86_64-416.94.202511191934-0 as a component of Red Hat OpenShift Container Platform 4.16",
          "product_id": "9Base-RHOSE-4.16:rhcos-x86_64-416.94.202511191934-0"
        },
        "product_reference": "rhcos-x86_64-416.94.202511191934-0",
        "relates_to_product_reference": "9Base-RHOSE-4.16"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-31133",
      "cwe": {
        "id": "CWE-59",
        "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
      },
      "discovery_date": "2025-10-17T14:17:18.235000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2404705"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in runc. This flaw exploits an issue with how masked paths are implementedin runc. When masking files, runc will bind-mount the container\u0027s /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "runc: container escape via \u0027masked path\u0027 abuse due to mount race conditions",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat considers this as an Important flaw since the impact is limited to local attack with minimal privileges in order to jeopardize the environment.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHOSE-4.16:rhcos-aarch64-416.94.202511191934-0",
          "9Base-RHOSE-4.16:rhcos-ppc64le-416.94.202511191934-0",
          "9Base-RHOSE-4.16:rhcos-s390x-416.94.202511191934-0",
          "9Base-RHOSE-4.16:rhcos-x86_64-416.94.202511191934-0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-31133"
        },
        {
          "category": "external",
          "summary": "RHBZ#2404705",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404705"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-31133",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-31133"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-31133",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31133"
        }
      ],
      "release_date": "2025-11-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-11-27T11:08:51+00:00",
          "details": "For OpenShift Container Platform 4.16 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n      (For x86_64 architecture)\n      The image digest is sha256:fe82edf8318eb10aac27fbc005ccee485a6e92734a0241cfa74a5b5ad4f9cc04\n\n      (For s390x architecture)\n      The image digest is sha256:91659a7217d7007c7c89424491935a4cbff57ff651ca183dfc9abe51cad37315\n      (For ppc64le architecture)\n      The image digest is sha256:1b195e402933e9d828a9d48ca1e0ce5835686cffda64a3910efba819de61b829\n      (For aarch64 architecture)\n      The image digest is sha256:d9ad3b1418d7e8c9c5a38f2b378d944c5af7ed31253fd00025d6ac5b340ada50\n\nAll OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html-single/updating_clusters/index#updating-cluster-cli.",
          "product_ids": [
            "9Base-RHOSE-4.16:rhcos-aarch64-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-ppc64le-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-s390x-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-x86_64-416.94.202511191934-0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:21824"
        },
        {
          "category": "workaround",
          "details": "Potential mitigations for this issue include:\n\n* Using user namespaces, with the host root user not mapped into the container\u0027s namespace. procfs file permissions are managed using Unix\nDAC and thus user namespaces stop a container process from being able to write to them.\n\n* Not running as a root user in the container (this includes disabling setuid binaries with noNewPrivileges). As above, procfs file permissions are managed using Unix DAC and thus non-root users cannot write to them.\n\n* Depending on the maskedPath configuration (the default configuratio nonly masks paths in /proc and /sys), using an AppArmor that blocks unexpectedwrites to any maskedPaths (as is the case with the defaultprofile used by Docker and Podman) will block attempts to exploit this issue. However, CVE-2025-52881 allows an attacker to bypass LSMlabels, and so this mitigation is not helpful when considered incombination with CVE-2025-52881.",
          "product_ids": [
            "9Base-RHOSE-4.16:rhcos-aarch64-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-ppc64le-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-s390x-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-x86_64-416.94.202511191934-0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-RHOSE-4.16:rhcos-aarch64-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-ppc64le-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-s390x-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-x86_64-416.94.202511191934-0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "runc: container escape via \u0027masked path\u0027 abuse due to mount race conditions"
    },
    {
      "cve": "CVE-2025-52565",
      "cwe": {
        "id": "CWE-59",
        "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
      },
      "discovery_date": "2025-10-17T14:19:18.653000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2404708"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in runc. CVE-2025-52565 is very similar in concept and application toCVE-2025-31133, except that it exploits a flaw in /dev/console\nbind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "runc: container escape with malicious config due to /dev/console mount and related races",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat considers this as an Important flaw since the impact is limited to local attack with minimal privileges in order to jeopardize the environment.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHOSE-4.16:rhcos-aarch64-416.94.202511191934-0",
          "9Base-RHOSE-4.16:rhcos-ppc64le-416.94.202511191934-0",
          "9Base-RHOSE-4.16:rhcos-s390x-416.94.202511191934-0",
          "9Base-RHOSE-4.16:rhcos-x86_64-416.94.202511191934-0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-52565"
        },
        {
          "category": "external",
          "summary": "RHBZ#2404708",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404708"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-52565",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-52565"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52565",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52565"
        }
      ],
      "release_date": "2025-11-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-11-27T11:08:51+00:00",
          "details": "For OpenShift Container Platform 4.16 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n      (For x86_64 architecture)\n      The image digest is sha256:fe82edf8318eb10aac27fbc005ccee485a6e92734a0241cfa74a5b5ad4f9cc04\n\n      (For s390x architecture)\n      The image digest is sha256:91659a7217d7007c7c89424491935a4cbff57ff651ca183dfc9abe51cad37315\n      (For ppc64le architecture)\n      The image digest is sha256:1b195e402933e9d828a9d48ca1e0ce5835686cffda64a3910efba819de61b829\n      (For aarch64 architecture)\n      The image digest is sha256:d9ad3b1418d7e8c9c5a38f2b378d944c5af7ed31253fd00025d6ac5b340ada50\n\nAll OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html-single/updating_clusters/index#updating-cluster-cli.",
          "product_ids": [
            "9Base-RHOSE-4.16:rhcos-aarch64-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-ppc64le-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-s390x-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-x86_64-416.94.202511191934-0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:21824"
        },
        {
          "category": "workaround",
          "details": "Potential mitigations for this issue include:\n\n* Using user namespaces, with the host root user not mapped into the container\u0027s namespace. procfs file permissions are managed using Unix DAC and thus user namespaces stop a container process from being able to write to them.\n* Not running as a root user in the container (this includes disabling setuid binaries with noNewPrivileges). As above, procfs file permissions are managed using Unix DAC and thus non-root users cannot write to them.\n* The default SELinux policy should mitigate this issue, as the /dev/console bind-mount does not re-label the mount and so the container process should not be able to write to unsafe procfs files. However, CVE-2025-52881 allows an attacker to bypass LSM labels, and so this mitigation is not helpful when considered in combination with CVE-2025-52881.\n* The default AppArmor profile used by most runtimes will NOT help mitigate this issue, as /dev/console access is permitted. You could create a custom profile that blocks access to /dev/console, but such a profile might break regular containers. In addition, CVE-2025-52881 allows an attacker to bypass LSM labels, and so that mitigation is not helpful when considered in combination with CVE-2025-52881.",
          "product_ids": [
            "9Base-RHOSE-4.16:rhcos-aarch64-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-ppc64le-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-s390x-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-x86_64-416.94.202511191934-0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-RHOSE-4.16:rhcos-aarch64-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-ppc64le-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-s390x-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-x86_64-416.94.202511191934-0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "runc: container escape with malicious config due to /dev/console mount and related races"
    },
    {
      "cve": "CVE-2025-52881",
      "cwe": {
        "id": "CWE-59",
        "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
      },
      "discovery_date": "2025-10-17T14:19:18.652000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2404715"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in runc. This attack is a more sophisticated variant of CVE-2019-16884, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation applied for CVE-2019-16884 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat considers this as an Important flaw since the impact is limited to local attack with minimal privileges in order to jeopardize the environment.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHOSE-4.16:rhcos-aarch64-416.94.202511191934-0",
          "9Base-RHOSE-4.16:rhcos-ppc64le-416.94.202511191934-0",
          "9Base-RHOSE-4.16:rhcos-s390x-416.94.202511191934-0",
          "9Base-RHOSE-4.16:rhcos-x86_64-416.94.202511191934-0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "RHBZ#2404715",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404715"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-52881",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52881",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "https://github.com/opencontainers/selinux/pull/237",
          "url": "https://github.com/opencontainers/selinux/pull/237"
        }
      ],
      "release_date": "2025-11-05T09:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-11-27T11:08:51+00:00",
          "details": "For OpenShift Container Platform 4.16 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n      (For x86_64 architecture)\n      The image digest is sha256:fe82edf8318eb10aac27fbc005ccee485a6e92734a0241cfa74a5b5ad4f9cc04\n\n      (For s390x architecture)\n      The image digest is sha256:91659a7217d7007c7c89424491935a4cbff57ff651ca183dfc9abe51cad37315\n      (For ppc64le architecture)\n      The image digest is sha256:1b195e402933e9d828a9d48ca1e0ce5835686cffda64a3910efba819de61b829\n      (For aarch64 architecture)\n      The image digest is sha256:d9ad3b1418d7e8c9c5a38f2b378d944c5af7ed31253fd00025d6ac5b340ada50\n\nAll OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html-single/updating_clusters/index#updating-cluster-cli.",
          "product_ids": [
            "9Base-RHOSE-4.16:rhcos-aarch64-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-ppc64le-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-s390x-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-x86_64-416.94.202511191934-0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:21824"
        },
        {
          "category": "workaround",
          "details": "Potential mitigations for this issue include:\n\n* Using rootless containers, as doing so will block most of the inadvertent writes (runc would run with reduced privileges, making attempts to write to procfs files ineffective).\n* Based on our analysis, neither AppArmor or SELinux can protect against the full version of the redirected write attack. The container runtime is generally privileged enough to write to arbitrary procfs files, which is more than sufficient to cause a container breakout.",
          "product_ids": [
            "9Base-RHOSE-4.16:rhcos-aarch64-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-ppc64le-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-s390x-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-x86_64-416.94.202511191934-0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-RHOSE-4.16:rhcos-aarch64-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-ppc64le-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-s390x-416.94.202511191934-0",
            "9Base-RHOSE-4.16:rhcos-x86_64-416.94.202511191934-0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects"
    }
  ]
}

CVE-2025-52565 (GCVE-0-2025-52565)

Vulnerability from cvelistv5

Published

2025-11-06 20:02

Modified

2025-11-06 21:32

Severity ?

8.4 (High) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following
CWE-363 - Race Condition Enabling Link Following

Summary

runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

References

URL

Tags

	https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r	x_refsource_CONFIRM
	https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	opencontainers	runc	Version: >= 1.0.0-rc3, < 1.2.8 Version: >= 1.3.0-rc.1, < 1.3.3 Version: >= 1.4.0-rc.1, < 1.4.0-rc.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-52565",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-06T21:32:07.457681Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-06T21:32:19.129Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "runc",
          "vendor": "opencontainers",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0-rc3, \u003c 1.2.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.3.0-rc.1, \u003c 1.3.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.4.0-rc.1, \u003c 1.4.0-rc.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-363",
              "description": "CWE-363: Race Condition Enabling Link Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-06T20:02:58.513Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"
        }
      ],
      "source": {
        "advisory": "GHSA-qw9x-cqr3-wc7r",
        "discovery": "UNKNOWN"
      },
      "title": "container escape due to /dev/console mount and related races"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-52565",
    "datePublished": "2025-11-06T20:02:58.513Z",
    "dateReserved": "2025-06-18T03:55:52.036Z",
    "dateUpdated": "2025-11-06T21:32:19.129Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-31133 (GCVE-0-2025-31133)

Vulnerability from cvelistv5

Published

2025-11-06 18:47

Modified

2025-11-06 19:22

Severity ?

7.3 (High) - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following
CWE-363 - Race Condition Enabling Link Following

Summary

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

References

URL

Tags

	https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2	x_refsource_CONFIRM
	https://github.com/opencontainers/runc/commit/1a30a8f3d921acbbb6a4bb7e99da2c05f8d48522	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/5d7b2424072449872d1cd0c937f2ca25f418eb66	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	opencontainers	runc	Version: < 1.2.8 Version: >= 1.3.0-rc.1, < 1.3.3 Version: >= 1.4.0-rc.1, <= 1.4.0-rc.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-31133",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-06T19:03:45.356326Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-06T19:22:22.047Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "runc",
          "vendor": "opencontainers",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.3.0-rc.1, \u003c 1.3.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.4.0-rc.1, \u003c= 1.4.0-rc.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-363",
              "description": "CWE-363: Race Condition Enabling Link Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-06T18:47:47.335Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/1a30a8f3d921acbbb6a4bb7e99da2c05f8d48522",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/1a30a8f3d921acbbb6a4bb7e99da2c05f8d48522"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/5d7b2424072449872d1cd0c937f2ca25f418eb66",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/5d7b2424072449872d1cd0c937f2ca25f418eb66"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
        }
      ],
      "source": {
        "advisory": "GHSA-9493-h29p-rfm2",
        "discovery": "UNKNOWN"
      },
      "title": "runc container escape via \"masked path\" abuse due to mount race conditions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-31133",
    "datePublished": "2025-11-06T18:47:47.335Z",
    "dateReserved": "2025-03-26T15:04:52.627Z",
    "dateUpdated": "2025-11-06T19:22:22.047Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-52881 (GCVE-0-2025-52881)

Vulnerability from cvelistv5

Published

2025-11-06 20:23

Modified

2025-11-06 21:07

Severity ?

7.3 (High) - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following
CWE-363 - Race Condition Enabling Link Following

Summary

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

References

URL

Tags

	https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm	x_refsource_CONFIRM
	https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r	x_refsource_MISC
	https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557	x_refsource_MISC
	https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md	x_refsource_MISC
	http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322	x_refsource_MISC
	http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	opencontainers	runc	Version: <= 1.2.7, < 1.2.8 Version: <= 1.3.2, < 1.3.3 Version: <= 1.4.0-rc.2, < 1.4.0-rc.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-52881",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-06T21:06:59.235416Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-06T21:07:09.382Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "runc",
          "vendor": "opencontainers",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.2.7, \u003c 1.2.8"
            },
            {
              "status": "affected",
              "version": "\u003c= 1.3.2, \u003c 1.3.3"
            },
            {
              "status": "affected",
              "version": "\u003c= 1.4.0-rc.2, \u003c 1.4.0-rc.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-363",
              "description": "CWE-363: Race Condition Enabling Link Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-06T20:23:36.237Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
        },
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
        },
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557"
        },
        {
          "name": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md"
        },
        {
          "name": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322"
        },
        {
          "name": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3"
        }
      ],
      "source": {
        "advisory": "GHSA-cgrx-mc8f-2prm",
        "discovery": "UNKNOWN"
      },
      "title": "runc: LSM labels can be bypassed with malicious config using dummy procfs files"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-52881",
    "datePublished": "2025-11-06T20:23:36.237Z",
    "dateReserved": "2025-06-20T17:42:25.708Z",
    "dateUpdated": "2025-11-06T21:07:09.382Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

rhsa-2025:21824

Vulnerability from csaf_redhat

CVE-2025-52565 (GCVE-0-2025-52565)

Vulnerability from cvelistv5

CVE-2025-31133 (GCVE-0-2025-31133)

Vulnerability from cvelistv5

CVE-2025-52881 (GCVE-0-2025-52881)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature