Описание
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
A flaw was found in runc. This flaw exploits an issue with how masked paths are implementedin runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write.
Отчет
Red Hat considers this as an Important flaw since the impact is limited to local attack with minimal privileges in order to jeopardize the environment.
Меры по смягчению последствий
Potential mitigations for this issue include:
- Using user namespaces, with the host root user not mapped into the container's namespace. procfs file permissions are managed using Unix DAC and thus user namespaces stop a container process from being able to write to them.
- Not running as a root user in the container (this includes disabling setuid binaries with noNewPrivileges). As above, procfs file permissions are managed using Unix DAC and thus non-root users cannot write to them.
- Depending on the maskedPath configuration (the default configuratio nonly masks paths in /proc and /sys), using an AppArmor that blocks unexpectedwrites to any maskedPaths (as is the case with the defaultprofile used by Docker and Podman) will block attempts to exploit this issue. However, CVE-2025-52881 allows an attacker to bypass LSMlabels, and so this mitigation is not helpful when considered incombination with CVE-2025-52881.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | openshift-clients | Not affected | ||
| Red Hat Enterprise Linux 8 | container-tools | Fixed | RHSA-2025:21232 | 13.11.2025 |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | container-tools | Fixed | RHSA-2026:4693 | 17.03.2026 |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | container-tools | Fixed | RHSA-2026:4693 | 17.03.2026 |
| Red Hat Enterprise Linux 9 | runc | Fixed | RHSA-2025:19927 | 07.11.2025 |
| Red Hat Enterprise Linux 9 | runc | Fixed | RHSA-2025:20957 | 11.11.2025 |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | runc | Fixed | RHSA-2026:4531 | 12.03.2026 |
| Red Hat Enterprise Linux 9.4 Extended Update Support | runc | Fixed | RHSA-2026:0425 | 12.01.2026 |
| Red Hat OpenShift Container Platform 4.12 | runc | Fixed | RHSA-2026:0315 | 15.01.2026 |
| Red Hat OpenShift Container Platform 4.13 | runc | Fixed | RHSA-2026:0676 | 22.01.2026 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.2 High
CVSS3
Связанные уязвимости
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
runc container escape via "masked path" abuse due to mount race conditions
runc is a CLI tool for spawning and running containers according to th ...
runc container escape via "masked path" abuse due to mount race conditions
EPSS
8.2 High
CVSS3