Notice of the runC Container Escape Vulnerabilities (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881)

Description

• CVE-2025-31133: A race condition exists in runC's implementation of the maskedPaths feature. An attacker can exploit symbolic links to trick runC into leaving sensitive files (for example, /proc/sys/kernel/core_pattern) writable inside the container. This vulnerability can result in container escape.
• CVE-2025-52565: A race condition occurs when runC creates the /dev/console device. An attacker can replace /dev/pts/$n with a symbolic link pointing to files in the /proc directory. This vulnerability can result in container escape or denial of service.
• CVE-2025-52881: A race condition allows attackers to redirect write operations for security labels and system parameters to arbitrary /proc files. This bypasses Linux Security Module (LSM) policies (for example, AppArmor, SELinux). This vulnerability along with some other ones can result in container escape or denial of service.

Vulnerability Exploitation Conditions

CCE clusters in normal usage are not affected by any of these vulnerabilities.

An attacker can exploit one of these vulnerabilities when the following conditions are met:

1. The attacker can customize container images.
2. Containers are running with root permissions.

The following shows the common ways in which exploitation can occur:

• When a container is started, /dev/null inside the container is replaced with a symbolic link pointing to files in the /proc directory. This enables container escape.
• An attacker replaces /dev/pts/$n with a symbolic link pointing to files in the /proc directory. This enables container escape.
• The /proc/self/attr/current file (used for AppArmor tags) is redirected to /proc/self/sched. As a result, AppArmor or SELinux configurations are not applied to the container process, leaving it in an unconstrained state.

Impact

When the above exploitation conditions are met, the container process may escape to the host node, leading to node information leakage or denial of service.

Identification Method

Log in to the CCE console, click the name of the target cluster to access the cluster console, and check the cluster version on the Overview page.

If the cluster version is v1.28.15-r60, v1.29.15-r20, v1.30.14-r20, v1.31.10-r20, v1.32.6-r20, v1.33.5-r10, or earlier, and the root user runs container images from unknown or untrusted sources, potential security risks may arise.

Solution

Workarounds:

• Ensure that all workload container images originate from verified and trusted sources.
• Apply cluster pod security policies or other admission control approaches to prevent containers from being started as the root user and set allowPrivilegeEscalation to false.

  securityContext:
        allowPrivilegeEscalation: false

Before performing the preceding workarounds, evaluate the impact on services and perform thorough tests.

Rectification method:

We will launch a new version to fix this vulnerability. Pay attention to Patch Versions and upgrade your clusters to a version that have these vulnerabilities fixed. For clusters that have reached EOS, upgrade them to versions under maintenance.

Helpful Links

For more information released in the runC Community, see Security.