Login Sign Up

CVE-2025-31133

7.8 HIGH
Denial of Service

📋 TL;DR

This vulnerability in runc allows attackers to bypass container isolation by exploiting insufficient verification of bind-mount sources when using /dev/null to mask files. Attackers can potentially escape containers, access host filesystems, cause denial of service, or bypass security controls. This affects all systems using vulnerable runc versions for container management.

💻 Affected Systems

Products:
  • runc
  • Docker
  • containerd
  • Kubernetes (when using affected runc versions)
  • Podman
Versions: runc 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any container runtime using vulnerable runc versions; Docker Engine versions 25.0.0 through 25.0.4 may be affected when using runc 1.2.x

📦 What is this software?

Runc by Linuxfoundation

View all CVEs affecting Runc →

Runc by Linuxfoundation

View all CVEs affecting Runc →

Runc by Linuxfoundation

View all CVEs affecting Runc →

Runc by Linuxfoundation

View all CVEs affecting Runc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Container escape leading to full host compromise, data exfiltration, and lateral movement across infrastructure

🟠

Likely Case

Information disclosure from host filesystem or container escape in multi-tenant environments

🟢

If Mitigated

Limited impact if containers run with minimal privileges and proper isolation controls

🌐 Internet-Facing: MEDIUM - Requires container access; internet-facing containers could be initial entry point
🏢 Internal Only: HIGH - Containerized workloads in internal environments are primary targets

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to create or control containers; exploit details not publicly available but technical analysis exists in advisory

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: runc 1.2.8, 1.3.3, 1.4.0-rc.3 and later

Vendor Advisory: https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2

Restart Required: Yes

Instructions:

1. Update runc to patched version using package manager (apt/yum) or manual install. 2. Update container runtime (Docker/containerd) to versions using patched runc. 3. Restart container runtime service. 4. Recreate containers to ensure they use updated runc.

🔧 Temporary Workarounds

Disable bind-mount masking

linux

Prevent use of container's /dev/null for masking by modifying container configurations

Modify container runtime configuration to avoid maskedPaths using /dev/null

🧯 If You Can't Patch

  • Implement strict container privilege restrictions (no privileged containers, drop all capabilities)
  • Use seccomp profiles and AppArmor/SELinux policies to limit container capabilities

🔍 How to Verify

Check if Vulnerable:

Check runc version: runc --version | grep version

Check Version:

runc --version

Verify Fix Applied:

Verify runc version is 1.2.8+, 1.3.3+, or 1.4.0-rc.3+

📡 Detection & Monitoring

Log Indicators:

  • Unusual bind-mount operations in container runtime logs
  • Container escape attempts in kernel/audit logs

Network Indicators:

  • Containers making unexpected network connections to host services

SIEM Query:

container.runtime=runc AND (version < 1.2.8 OR (version >= 1.3.0 AND version <= 1.3.1) OR version = 1.4.0-rc.1 OR version = 1.4.0-rc.2)

📊 Metadata

CVE ID: CVE-2025-31133
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-61
EPSS Score: 0.02% exploit probability (3.8th percentile)
Published: November 6, 2025
Last Updated: December 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31133, you might also want to check these:

CVE-2025-23394 9.8

A UNIX symbolic link following vulnerability in cyrus-imapd on openSUSE Tumbleweed allows local atta...

Same vulnerability type (CWE-61)
CVE-2024-54661 9.8

This vulnerability in socat's readline.sh script allows local privilege escalation through insecure ...

Same vulnerability type (CWE-61)
CVE-2025-55345 8.8

This vulnerability in Codex CLI allows attackers to overwrite arbitrary files and potentially achiev...

Same vulnerability type (CWE-61)