CVE-2025-31133

06.11.2025, 19:15

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Symlink

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Vendor	Product	Version
linuxfoundation	runc	𝑥 < 1.2.8
linuxfoundation	runc	1.3.0 ≤ 𝑥 < 1.3.3
linuxfoundation	runc	1.4.0:rc1
linuxfoundation	runc	1.4.0:rc2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

runc

bullseye	vulnerable
bullseye (security)	vulnerable
bookworm	vulnerable
bookworm (security)	vulnerable
trixie	vulnerable
forky	1.3.3+ds1-2 fixed
sid	1.3.3+ds1-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

runc

questing	ignored
plucky	ignored
noble	ignored
jammy	ignored
focal	ignored
bionic	ignored
xenial	ignored

runc-app

questing	Fixed 1.3.3-0ubuntu1~25.10.2 released
plucky	Fixed 1.3.3-0ubuntu1~25.04.2 released
noble	Fixed 1.3.3-0ubuntu1~24.04.2 released
jammy	Fixed 1.3.3-0ubuntu1~22.04.2 released
focal	ignored

runc-stable

questing	Fixed 1.3.3-0ubuntu1~25.10.2 released
noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

Common Weakness Enumeration

CWE-61 - UNIX Symbolic Link (Symlink) Following
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

Vulnerability Media Exposure

[GERMAN] Red Hat Enterprise Linux (runc): Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen
Ein lokaler Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux und Red Hat OpenShift ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Denial of Service herbeizuführen.
Published: 2025-11-09T23:00:00+00:00

References

https://github.com/opencontainers/runc/commit/1a30a8f3d921acbbb6a4bb7e99da2c05f8d48522

https://github.com/opencontainers/runc/commit/5d7b2424072449872d1cd0c937f2ca25f418eb66

https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f

https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64

https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2