Vulnerability-Lookup

SUSE-SU-2026:0327-1

Vulnerability from csaf_suse - Published: 2026-01-28 15:38 - Updated: 2026-01-28 15:38

Summary

Security update for alloy

Notes

Title of the patch

Security update for alloy

Description of the patch

This update for alloy fixes the following issues: Update to 1.12.2: Security fixes: - CVE-2025-68156: github.com/expr-lang/expr/builtin: Fixed potential DoS via unbounded recursion (bsc#1255333): - CVE-2025-31133, CVE-2025-52565, CVE-2025-52881: github.com/opencontainers/runc: Fixed container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files (bsc#1255074) Other fixes: - Add missing configuration parameter deployment_name_from_replicaset to k8sattributes processor (5b90a9d) (@dehaansa) - database_observability: Fix schema_details collector to fetch column definitions with case sensitive table names (#4872) (560dff4) (@jharvey10, @fridgepoet) - deps: Update jose2go to 1.7.0 (#4858) (dfdd341) (@jharvey10) - deps: Update npm dependencies [backport] (#5201) (8e06c26) (@jharvey10) - Ensure the squid exporter wrapper properly brackets ipv6 addresses [backport] (#5205) (e329cc6) (@dehaansa) - Preserve meta labels in loki.source.podlogs (#5097) (ab4b21e) (@kalleep) - Prevent panic in import.git when update fails [backport] (#5204) (c82fbae) (@dehaansa, @jharvey10) - show correct fallback alloy version instead of v1.13.0 (#5110) (b72be99) (@dehaansa, @jharvey10)

Patchnames

SUSE-2026-327,SUSE-SLE-Module-Basesystem-15-SP7-2026-327

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for alloy",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for alloy fixes the following issues:\n\nUpdate to 1.12.2:\n\nSecurity fixes:\n\n- CVE-2025-68156: github.com/expr-lang/expr/builtin: Fixed potential DoS via unbounded recursion (bsc#1255333):\n- CVE-2025-31133, CVE-2025-52565, CVE-2025-52881: github.com/opencontainers/runc: Fixed container\n  breakouts by bypassing runc\u0027s restrictions for writing to arbitrary /proc files (bsc#1255074)\n\nOther fixes:\n\n    - Add missing configuration parameter\n      deployment_name_from_replicaset to k8sattributes processor\n      (5b90a9d) (@dehaansa)\n    - database_observability: Fix schema_details collector to fetch\n      column definitions with case sensitive table names (#4872)\n      (560dff4) (@jharvey10, @fridgepoet)\n    - deps: Update jose2go to 1.7.0 (#4858) (dfdd341) (@jharvey10)\n    - deps: Update npm dependencies [backport] (#5201) (8e06c26)\n      (@jharvey10)\n    - Ensure the squid exporter wrapper properly brackets ipv6\n      addresses [backport] (#5205) (e329cc6) (@dehaansa)\n    - Preserve meta labels in loki.source.podlogs (#5097) (ab4b21e)\n      (@kalleep)\n    - Prevent panic in import.git when update fails [backport]\n      (#5204) (c82fbae) (@dehaansa, @jharvey10)\n    - show correct fallback alloy version instead of v1.13.0\n      (#5110) (b72be99) (@dehaansa, @jharvey10)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2026-327,SUSE-SLE-Module-Basesystem-15-SP7-2026-327",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0327-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:0327-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260327-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:0327-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-January/023974.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1255074",
        "url": "https://bugzilla.suse.com/1255074"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1255333",
        "url": "https://bugzilla.suse.com/1255333"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-31133 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-31133/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52565 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52565/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52881 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52881/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-68156 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-68156/"
      }
    ],
    "title": "Security update for alloy",
    "tracking": {
      "current_release_date": "2026-01-28T15:38:58Z",
      "generator": {
        "date": "2026-01-28T15:38:58Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:0327-1",
      "initial_release_date": "2026-01-28T15:38:58Z",
      "revision_history": [
        {
          "date": "2026-01-28T15:38:58Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "alloy-1.12.2-150700.15.15.1.aarch64",
                "product": {
                  "name": "alloy-1.12.2-150700.15.15.1.aarch64",
                  "product_id": "alloy-1.12.2-150700.15.15.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "alloy-1.12.2-150700.15.15.1.ppc64le",
                "product": {
                  "name": "alloy-1.12.2-150700.15.15.1.ppc64le",
                  "product_id": "alloy-1.12.2-150700.15.15.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "alloy-1.12.2-150700.15.15.1.s390x",
                "product": {
                  "name": "alloy-1.12.2-150700.15.15.1.s390x",
                  "product_id": "alloy-1.12.2-150700.15.15.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "alloy-1.12.2-150700.15.15.1.x86_64",
                "product": {
                  "name": "alloy-1.12.2-150700.15.15.1.x86_64",
                  "product_id": "alloy-1.12.2-150700.15.15.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                  "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "alloy-1.12.2-150700.15.15.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.aarch64"
        },
        "product_reference": "alloy-1.12.2-150700.15.15.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "alloy-1.12.2-150700.15.15.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.ppc64le"
        },
        "product_reference": "alloy-1.12.2-150700.15.15.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "alloy-1.12.2-150700.15.15.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.s390x"
        },
        "product_reference": "alloy-1.12.2-150700.15.15.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "alloy-1.12.2-150700.15.15.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.x86_64"
        },
        "product_reference": "alloy-1.12.2-150700.15.15.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-31133",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-31133"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.aarch64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.ppc64le",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.s390x",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-31133",
          "url": "https://www.suse.com/security/cve/CVE-2025-31133"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-28T15:38:58Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-31133"
    },
    {
      "cve": "CVE-2025-52565",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52565"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.aarch64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.ppc64le",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.s390x",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52565",
          "url": "https://www.suse.com/security/cve/CVE-2025-52565"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-28T15:38:58Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52565"
    },
    {
      "cve": "CVE-2025-52881",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52881"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.aarch64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.ppc64le",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.s390x",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52881",
          "url": "https://www.suse.com/security/cve/CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-28T15:38:58Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52881"
    },
    {
      "cve": "CVE-2025-68156",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-68156"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the\nevaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.aarch64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.ppc64le",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.s390x",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-68156",
          "url": "https://www.suse.com/security/cve/CVE-2025-68156"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255330 for CVE-2025-68156",
          "url": "https://bugzilla.suse.com/1255330"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.2-150700.15.15.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-28T15:38:58Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-68156"
    }
  ]
}

CVE-2025-52565 (GCVE-0-2025-52565)

Vulnerability from cvelistv5 – Published: 2025-11-06 20:02 – Updated: 2025-11-06 21:32

Title

container escape due to /dev/console mount and related races

Summary

runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Severity ?

8.4 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following
CWE-363 - Race Condition Enabling Link Following

Assigner

GitHub_M

References

URL

Tags

	https://github.com/opencontainers/runc/security/a…	x_refsource_CONFIRM
	https://github.com/opencontainers/runc/commit/01d…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/398…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/531…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/9be…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/aee…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/db1…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/de8…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/ff9…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	opencontainers	runc	Affected: >= 1.0.0-rc3, < 1.2.8 Affected: >= 1.3.0-rc.1, < 1.3.3 Affected: >= 1.4.0-rc.1, < 1.4.0-rc.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-52565",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-06T21:32:07.457681Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-06T21:32:19.129Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "runc",
          "vendor": "opencontainers",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0-rc3, \u003c 1.2.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.3.0-rc.1, \u003c 1.3.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.4.0-rc.1, \u003c 1.4.0-rc.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-363",
              "description": "CWE-363: Race Condition Enabling Link Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-06T20:02:58.513Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"
        }
      ],
      "source": {
        "advisory": "GHSA-qw9x-cqr3-wc7r",
        "discovery": "UNKNOWN"
      },
      "title": "container escape due to /dev/console mount and related races"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-52565",
    "datePublished": "2025-11-06T20:02:58.513Z",
    "dateReserved": "2025-06-18T03:55:52.036Z",
    "dateUpdated": "2025-11-06T21:32:19.129Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68156 (GCVE-0-2025-68156)

Vulnerability from cvelistv5 – Published: 2025-12-16 18:24 – Updated: 2025-12-16 19:59

Title

Expr has Denial of Service via Unbounded Recursion in Builtin Functions

Summary

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the evaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

URL

Tags

	https://github.com/expr-lang/expr/security/adviso…	x_refsource_CONFIRM
	https://github.com/expr-lang/expr/pull/870	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	expr-lang	expr	Affected: < 1.17.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68156",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-16T19:58:48.969218Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-16T19:59:24.007Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "expr",
          "vendor": "expr-lang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.17.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the\nevaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T18:24:11.648Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6"
        },
        {
          "name": "https://github.com/expr-lang/expr/pull/870",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/expr-lang/expr/pull/870"
        }
      ],
      "source": {
        "advisory": "GHSA-cfpf-hrx2-8rv6",
        "discovery": "UNKNOWN"
      },
      "title": "Expr has Denial of Service via Unbounded Recursion in Builtin Functions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-68156",
    "datePublished": "2025-12-16T18:24:11.648Z",
    "dateReserved": "2025-12-15T23:02:17.604Z",
    "dateUpdated": "2025-12-16T19:59:24.007Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-31133 (GCVE-0-2025-31133)

Vulnerability from cvelistv5 – Published: 2025-11-06 18:47 – Updated: 2025-11-06 19:22

Title

runc container escape via "masked path" abuse due to mount race conditions

Summary

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Severity ?

7.3 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following
CWE-363 - Race Condition Enabling Link Following

Assigner

GitHub_M

References

URL

Tags

	https://github.com/opencontainers/runc/security/a…	x_refsource_CONFIRM
	https://github.com/opencontainers/runc/commit/1a3…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/5d7…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/847…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/db1…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	opencontainers	runc	Affected: < 1.2.8 Affected: >= 1.3.0-rc.1, < 1.3.3 Affected: >= 1.4.0-rc.1, <= 1.4.0-rc.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-31133",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-06T19:03:45.356326Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-06T19:22:22.047Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "runc",
          "vendor": "opencontainers",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.3.0-rc.1, \u003c 1.3.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.4.0-rc.1, \u003c= 1.4.0-rc.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-363",
              "description": "CWE-363: Race Condition Enabling Link Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-06T18:47:47.335Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/1a30a8f3d921acbbb6a4bb7e99da2c05f8d48522",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/1a30a8f3d921acbbb6a4bb7e99da2c05f8d48522"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/5d7b2424072449872d1cd0c937f2ca25f418eb66",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/5d7b2424072449872d1cd0c937f2ca25f418eb66"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
        }
      ],
      "source": {
        "advisory": "GHSA-9493-h29p-rfm2",
        "discovery": "UNKNOWN"
      },
      "title": "runc container escape via \"masked path\" abuse due to mount race conditions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-31133",
    "datePublished": "2025-11-06T18:47:47.335Z",
    "dateReserved": "2025-03-26T15:04:52.627Z",
    "dateUpdated": "2025-11-06T19:22:22.047Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-52881 (GCVE-0-2025-52881)

Vulnerability from cvelistv5 – Published: 2025-11-06 20:23 – Updated: 2025-11-06 21:07

Title

runc: LSM labels can be bypassed with malicious config using dummy procfs files

Summary

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

Severity ?

7.3 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following
CWE-363 - Race Condition Enabling Link Following

Assigner

GitHub_M

References

URL

Tags

	https://github.com/opencontainers/runc/security/a…	x_refsource_CONFIRM
	https://github.com/opencontainers/runc/security/a…	x_refsource_MISC
	https://github.com/opencontainers/runc/security/a…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/ff9…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/ff6…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/ed6…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/db1…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/d61…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/d40…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/b3d…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/77d…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/778…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/6fc…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/4b3…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/44a…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/435…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/3f9…	x_refsource_MISC
	https://github.com/opencontainers/runc/blob/v1.4.…	x_refsource_MISC
	http://github.com/opencontainers/runc/commit/a413…	x_refsource_MISC
	http://github.com/opencontainers/runc/commit/fdcc…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	opencontainers	runc	Affected: <= 1.2.7, < 1.2.8 Affected: <= 1.3.2, < 1.3.3 Affected: <= 1.4.0-rc.2, < 1.4.0-rc.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-52881",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-06T21:06:59.235416Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-06T21:07:09.382Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "runc",
          "vendor": "opencontainers",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.2.7, \u003c 1.2.8"
            },
            {
              "status": "affected",
              "version": "\u003c= 1.3.2, \u003c 1.3.3"
            },
            {
              "status": "affected",
              "version": "\u003c= 1.4.0-rc.2, \u003c 1.4.0-rc.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-363",
              "description": "CWE-363: Race Condition Enabling Link Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-06T20:23:36.237Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
        },
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
        },
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557"
        },
        {
          "name": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md"
        },
        {
          "name": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322"
        },
        {
          "name": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3"
        }
      ],
      "source": {
        "advisory": "GHSA-cgrx-mc8f-2prm",
        "discovery": "UNKNOWN"
      },
      "title": "runc: LSM labels can be bypassed with malicious config using dummy procfs files"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-52881",
    "datePublished": "2025-11-06T20:23:36.237Z",
    "dateReserved": "2025-06-20T17:42:25.708Z",
    "dateUpdated": "2025-11-06T21:07:09.382Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2026:0327-1

CVE-2025-52565 (GCVE-0-2025-52565)

CVE-2025-68156 (GCVE-0-2025-68156)

CVE-2025-31133 (GCVE-0-2025-31133)

CVE-2025-52881 (GCVE-0-2025-52881)

Tags

Sightings

Nomenclature