CVE-2025-52565
📋 TL;DR
A vulnerability in runc allows attackers to bypass container isolation by tricking the system into bind-mounting sensitive read-only or masked paths to writable locations. This can lead to container breakout or host denial of service by manipulating critical system files like /proc/sysrq-trigger. Affects runc versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2.
💻 Affected Systems
- runc
📦 What is this software?
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
Runc by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Container breakout allowing attacker to execute code on host, manipulate host kernel parameters, or cause host denial of service via /proc/sysrq-trigger.
Likely Case
Container escape leading to unauthorized access to other containers or host resources, or denial of service affecting container availability.
If Mitigated
Limited impact within container boundaries if proper network segmentation and least privilege are enforced.
🎯 Exploit Status
Exploitation requires container access and knowledge of container internals. Similar to CVE-2025-31133 in concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.8, 1.3.3, 1.4.0-rc.3
Vendor Advisory: https://github.com/opencontainers/runc/security/advisories
Restart Required: Yes
Instructions:
1. Update runc to patched version. 2. Restart all containers using the updated runc binary. 3. Verify container runtime (Docker, containerd, etc.) uses the updated runc version.
🔧 Temporary Workarounds
Disable console allocation
linuxPrevent containers from allocating a console to mitigate the specific bind-mount vulnerability.
docker run --tty=false ...
podman run --tty=false ...
Use read-only root filesystem
linuxRun containers with read-only root filesystem to limit write capabilities.
docker run --read-only ...
podman run --read-only ...
🧯 If You Can't Patch
- Implement strict container isolation policies and network segmentation.
- Enforce least privilege principles and monitor container activities for suspicious behavior.
🔍 How to Verify
Check if Vulnerable:
Check runc version: runc --versionCheck Version:
runc --version | grep versionVerify Fix Applied:
Verify runc version is 1.2.8, 1.3.3, or 1.4.0-rc.3 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual container console activity
- Attempts to write to /proc/sysrq-trigger or /proc/sys/kernel/core_pattern from containers
Network Indicators:
- Unexpected network connections from containers to host services
SIEM Query:
container.runtime=runc AND (event.action="mount" AND target.path="/dev/console")🔗 References
- https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4
- https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398
- https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e
- https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d
- https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a
- https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64
- https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8
- https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480
- https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r
