Breakdown of New RunC Vulnerabilities
13 days ago
- #security
- #vulnerability
- #runc
- New vulnerabilities in runC (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) allow attackers to gain root access, crash the kernel, or disable Linux Security Module (LSM) policies.
- The root cause is a Time-of-Check to Time-of-Use (TOCTU) vulnerability in runC's mounting logic, enabling attackers to replace paths with symlinks during a race condition.
- CVE-2025-31133: Attackers can exploit masking paths to mount sensitive directories like `/proc/sys/kernel/core_pattern` or `/proc/sysrq-trigger`, leading to arbitrary code execution or kernel panic.
- CVE-2025-52565: Similar to masking attacks, attackers can symlink `/dev/pts/$N` to protected directories, allowing writes to sensitive files via the console.
- CVE-2025-52881: Attackers can disrupt LSM policy enforcement by symlinking `/proc/self/attr/*`, potentially bypassing security controls or writing to sensitive files.
- Mitigations include upgrading to patched runC versions (1.2.8, 1.3.3, 1.4.0-rc.3), running workloads as rootless, and restricting symlink creation in critical directories using BPF-LSM.