Login Sign Up

CVE-2025-52881

7.5 HIGH

📋 TL;DR

This CVE-2025-52881 vulnerability in runc allows attackers to redirect writes to /proc filesystem to other locations through race conditions with shared mounts. This could enable privilege escalation or container escape in containerized environments. Affected systems are those using vulnerable versions of runc (1.2.7, 1.3.2, 1.4.0-rc.2) in container runtimes like Docker, Kubernetes, or other OCI-compliant systems.

💻 Affected Systems

Products:
  • runc
  • Docker
  • Kubernetes
  • containerd
  • Podman
  • Other OCI-compliant container runtimes
Versions: runc versions 1.2.7, 1.3.2, and 1.4.0-rc.2
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires shared mounts and parallel container execution, which can be triggered via docker buildx build or similar parallel execution mechanisms.

📦 What is this software?

Runc by Linuxfoundation

View all CVEs affecting Runc →

Runc by Linuxfoundation

View all CVEs affecting Runc →

Runc by Linuxfoundation

View all CVEs affecting Runc →

Runc by Linuxfoundation

View all CVEs affecting Runc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Container escape leading to host compromise, privilege escalation to root on host system, or unauthorized access to other containers and host resources.

🟠

Likely Case

Privilege escalation within container environment, potential data exfiltration, or disruption of container operations.

🟢

If Mitigated

Limited impact if proper container isolation, least privilege, and security controls are implemented, though risk remains until patched.

🌐 Internet-Facing: MEDIUM - Exploitation requires access to container runtime, but internet-facing containers could be targeted if attackers gain initial access.
🏢 Internal Only: HIGH - Internal container environments with vulnerable runc versions are at significant risk from malicious insiders or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires race condition timing and shared mount configuration, making it moderately complex but feasible for skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: runc versions 1.2.8, 1.3.3, and 1.4.0-rc.3

Vendor Advisory: https://github.com/opencontainers/runc/security/advisories

Restart Required: Yes

Instructions:

1. Update runc to patched version (1.2.8, 1.3.3, or 1.4.0-rc.3). 2. Update container runtime (Docker, containerd, etc.) to use patched runc. 3. Restart container runtime services. 4. Rebuild containers if they embed vulnerable runc versions.

🔧 Temporary Workarounds

Disable parallel container builds

linux

Prevent triggering the race condition by disabling parallel execution in container build systems

docker buildx build --parallel=false
Set parallel build options to false in CI/CD pipelines

Restrict shared mounts

linux

Limit or audit container configurations that use shared mounts

docker run --mount type=bind,source=/proc,target=/proc,readonly
Implement pod security policies to restrict mount sharing

🧯 If You Can't Patch

  • Implement strict container isolation policies and limit container privileges
  • Monitor for suspicious container behavior and unauthorized mount operations

🔍 How to Verify

Check if Vulnerable:

Check runc version: runc --version | grep version. If output shows 1.2.7, 1.3.2, or 1.4.0-rc.2, system is vulnerable.

Check Version:

runc --version

Verify Fix Applied:

After update, verify runc version shows 1.2.8, 1.3.3, or 1.4.0-rc.3. Test container operations with shared mounts.

📡 Detection & Monitoring

Log Indicators:

  • Unusual /proc file access patterns
  • Container escape attempts in audit logs
  • Multiple container creation events with shared mounts

Network Indicators:

  • Unexpected outbound connections from containers
  • Unusual inter-container communication patterns

SIEM Query:

source="container_runtime" AND (event="mount" OR event="proc_access") AND user="root"

📊 Metadata

CVE ID: CVE-2025-52881
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-61
EPSS Score: 0.03% exploit probability (9.1th percentile)
Published: November 6, 2025
Last Updated: December 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52881, you might also want to check these:

CVE-2025-23394 9.8

A UNIX symbolic link following vulnerability in cyrus-imapd on openSUSE Tumbleweed allows local atta...

Same vulnerability type (CWE-61)
CVE-2024-54661 9.8

This vulnerability in socat's readline.sh script allows local privilege escalation through insecure ...

Same vulnerability type (CWE-61)
CVE-2025-55345 8.8

This vulnerability in Codex CLI allows attackers to overwrite arbitrary files and potentially achiev...

Same vulnerability type (CWE-61)