Описание
runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting /dev/pts/$n to /dev/console inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of /dev/pts/$n to /dev/console as configured for all containers that allocate a console). This happens after pivot_root(2), so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of /proc/sysrq-trigger or `/proc/sys/kernel/core_patter...
| Релиз | Статус | Примечание |
|---|---|---|
| devel | needs-triage | |
| esm-apps/bionic | ignored | backport too intrusive |
| esm-apps/noble | ignored | backport too intrusive |
| esm-apps/xenial | ignored | backport too intrusive |
| esm-infra/focal | ignored | backport too intrusive |
| jammy | ignored | backport too intrusive |
| noble | ignored | backport too intrusive |
| plucky | ignored | backport too intrusive |
| questing | ignored | backport too intrusive |
| upstream | released | 1.2.8,1.3.3,1.4.1 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | needs-triage | |
| esm-apps/focal | ignored | backport too intrusive |
| esm-apps/jammy | released | 1.3.3-0ubuntu1~22.04.2 |
| jammy | released | 1.3.3-0ubuntu1~22.04.2 |
| noble | released | 1.3.3-0ubuntu1~24.04.2 |
| plucky | released | 1.3.3-0ubuntu1~25.04.2 |
| questing | released | 1.3.3-0ubuntu1~25.10.2 |
| upstream | released | 1.2.8,1.3.3,1.4.1 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | DNE | |
| devel | needs-triage | |
| focal | DNE | |
| jammy | DNE | |
| noble | DNE | |
| questing | released | 1.3.3-0ubuntu1~25.10.2 |
| trusty | DNE | |
| upstream | released | 1.2.8,1.3.3,1.4.1 |
| xenial | DNE |
Показывать по
EPSS
Связанные уязвимости
runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern`
runc is a CLI tool for spawning and running containers according to th ...
runc container escape with malicious config due to /dev/console mount and related races
Уязвимость инструмента для запуска изолированных контейнеров runc, связанная с состоянием гонки, разрешающим отслеживание ссылок, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
EPSS