Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN774
_____________________________________________________________________

DATE                : 06/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running runc versions prior to 1.2.8,
                                   1.3.3, 1.4.0-rc.3.

=====================================================================
https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r
_____________________________________________________________________

container escape via "masked path" abuse due to mount race conditions
High
cyphar published GHSA-9493-h29p-rfm2 Nov 5, 2025

Package
github.com/opencontainers/runc (Go)

Affected versions
<=1.2.7, <=1.3.2, <=1.4.0-rc.2

Patched versions
1.2.8, 1.3.3, 1.4.0-rc.3


Description

Impact

The OCI runtime specification has a maskedPaths feature that allows
for files or directories to be "masked" by placing a mount on top
of them to conceal their contents. This is primarily intended to
protect against privileged users in non-user-namespaced from being
able to write to files or access directories that would either
provide sensitive information about the host to containers or
allow containers to perform destructive or other privileged
operations on the host (examples include /proc/kcore,
/proc/timer_list, /proc/acpi, and /proc/keys).

maskedPaths can be used to either mask a directory or a
file -- directories are masked using a new read-only tmpfs instance
that is mounted on top of the masked path, while files are masked
by bind-mounting the container's /dev/null on top of the
masked path.

In all known versions of runc, when using the container's /dev/null
to mask files, runc would not perform sufficient verification that
the source of the bind-mount (i.e., the container's /dev/null) was
actually a real /dev/null inode. While /dev/null is usually created
by runc doing container creation, it is possible for an attacker to
create a /dev/null or modify the /dev/null inode created by runc
through race conditions with other containers sharing mounts (we have
also verified this attack is possible to exploit using a standard
Dockerfile with docker buildx build as that also permits triggering
parallel execution of containers with custom shared mounts
configured).

This could lead to two separate issues:
Attack 1: Arbitrary Mount Gadget (leading to Host Information
Disclosure, Host Denial of Service, or Container Escape)

By replacing /dev/null with a symlink to an attacker-controlled path,
an attacker could cause runc to bind-mount an arbitrary source path
to a path inside the container. This could lead to:

    Host Denial of Service: By bind-mounting files such as
    /proc/sysrq-trigger, the attacker can gain access to a read-write
    version of files which can be destructive to write to
    (/proc/sysrq-trigger would allow an attacker to trigger a kernel
    panic, shutting down the machine, or causing the machine to freeze
    without rebooting).
    Container Escape: By bind-mounting /proc/sys/kernel/core_pattern,
    the attacker can reconfigure a coredump helper -- as kernel
    upcalls are not namespaced, the configured binary (which could be
    a container binary or a host binary with a malicious command-line)
    will run with full privileges on the host system. Thus, the
    attacker can simply trigger a coredump and gain complete root
    privileges over the host.

Note that while config.json allows users to bind-mount arbitrary
paths (and thus an attacker that can modify config.json arbitrarily
could gain the same access as this exploit), because maskedPaths is
applied by almost all higher-level container runtimes (and thus
provides a guaranteed mount source) this flaw effectively allows any
attacker that can spawn containers (with some degree of control over
what kinds of containers are being spawned) to achieve
the above goals.

This attack was analysed as having a CVSSv4 severity of 7.3 (High)
using the vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H.
Attack 2: Bypassing maskedPaths

While investigating Attack 1, we discovered that our validation
mechanism when bind-mounting /dev/null for maskedPaths would ignore
ENOENT errors -- meaning that if an attacker deleted /dev/null before
we did the bind-mount, we would silently skip applying maskedPaths
for the container. (The original purpose of this ENOENT-ignore
behaviour was to permit configurations where maskedPaths references
non-existent files, but we did not consider that the source path
could also not exist in this kind of race-attack scenario.)

With maskedPaths rendered inoperative, an attacker would be able to
access sensitive host information from files in /proc that would
usually be masked (such as /proc/kcore). However, note that /proc/sys
and /proc/sysrq-trigger are mounted read-only rather than being
masked with files, so this attack variant will not allow the same
breakout or host denial of service attacks as in Attack 1.

This attack was analysed as having a CVSSv4 severity of 5.6 (Moderate)
using the vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N.


Patches

This advisory is being published as part of a set of three advisories:

    CVE-2025-31133
    CVE-2025-52881
    CVE-2025-52565

The patches fixing this issue have accordingly been combined into a
single patchset. The following patches from that patchset resolve the
issues in this advisory:

    db19bbe ("internal/sys: add VerifyInode helper")
    8476df8 ("libct: add/use isDevNull, verifyDevNull")
    1a30a8f ("libct: maskPaths: only ignore ENOENT on mount dest")
    5d7b242 ("libct: maskPaths: don't rely on ENOTDIR for mount")

runc 1.2.8, 1.3.3, and 1.4.0-rc.3 have been released and all contain
fixes for these issues. As per our new release model, runc 1.1.x and
earlier are no longer supported and thus have not been patched.
Mitigations

    Use containers with user namespaces (with the host root user not
    mapped into     the container's user namespace). This will block
    most of the most serious aspects of these attacks, as the procfs
    files used for the container breakout use Unix DAC permissions
    and user namespaced users will not have access to the relevant
   files.

    We would also like to take this opportunity to re-iterate that we
    strongly recommend all users use user namespaced containers. They
    have proven to be one of the best security hardening mechanisms
    against container breakouts, and the kernel applies additional
    restrictions to user namespaced containers above and beyond the
    user remapping functionality provided. With the advent of
    id-mapped mounts (Linux 5.12), there is very little reason to
    not use user namespaces for most applications. Note that using
    user namespaces to configure your container does not mean you have
    to enable unprivileged user namespace creation inside the
    container -- most container runtimes apply a seccomp-bpf profile
    which blocks unshare(CLONE_NEWUSER) inside containers regardless
    of whether the container itself uses user namespaces.

    Rootless containers can provide even more protection if your
    configuration can use them -- by having runc itself be an
    unprivileged process, in general you would expect the impact
    scope of a runc bug to be less severe as it would only have
    the privileges afforded to the host user which spawned runc.

    For non-user namespaced containers, configure all containers
    you spawn to not permit processes to run with root privileges.
    In most cases this would require configuring the container to
    use a non-root user and enabling noNewPrivileges to disable any
    setuid or set-capability binaries. (Note that this is our
    general recommendation for a secure container setup -- it is
    very difficult, if not impossible, to run an untrusted program
    with root privileges safely.) If you need to use ping in your
    containers, there is a net.ipv4.ping_group_range sysctl that
    can be used to allow unprivileged users to ping without
    requiring setuid or set-capability binaries.

    Do not run untrusted container images from unknown or
    unverified sources.

    Depending on the configuration of maskedPaths, an AppArmor
    profile (such as the default one applied by higher level
    runtimes including Docker and Podman) can block write attempts
    to most of /proc and /sys. This means that even with a procfs
    file maliciously bind-mounted to a maskedPaths target, all of
    the targets of maskedPaths in the default configuration of
    runtimes such as Docker or Podman will still not permit write
    access to said files. However, if a container is configured
    with a maskedPaths that is not protected by AppArmor then the
    same attack can be carried out.

    Please note that CVE-2025-52881 allows an attacker to bypass
    LSM labels, and so this mitigation is not that helpful when
    considered in combination with CVE-2025-52881.

    Based on our analysis, SELinux policies have a lmited effect
    when trying to protect against this attack. The reason is that
    the /dev/null bind-mount gets implicitly relabelled with
    context=... set to the container's SELinux context, and thus
    the container process will have access to the source of the
    bind-mount even if they otherwise wouldn't.


Other Runtimes

As this vulnerability boils down to a fairly easy-to-make logic bug,
we have provided information to other OCI (crun, youki) and non-OCI
(LXC) container runtimes about this vulnerability.

Based on discussions with other runtimes, it seems that crun and
youki may have similar security issues and will release a
co-ordinated security release along with runc. LXC appears to also
be vulnerable in some aspects, but their security stance is
(understandably) that non-user-namespaced containers are
fundamentally insecure by design.


References

    GHSA-cgrx-mc8f-2prm


Credits

Thanks to Lei Wang (@ssst0n3 from Huawei) for finding and reporting
the original vulnerability (Attack 1), and Li Fubang (@lifubang from
acmcoder.com, CIIC) for discovering another attack vector (Attack 2)
based on @ssst0n3's initial findings.


Severity
High
/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Local
Attack Complexity Low
Attack Requirements Present
Privileges Required Low
User interaction Active
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVE ID
CVE-2025-31133

Weaknesses
Weakness CWE-61
Weakness CWE-363


Credits

    @ssst0n3 ssst0n3 Finder
    @rata rata Analyst
    @kolyshkin kolyshkin Remediation developer
    @lifubang lifubang Finder
    @cyphar cyphar Remediation developer

_____________________________________________________________________


container escape and denial of service due to arbitrary write gadgets
and procfs write redirects
High
cyphar published GHSA-cgrx-mc8f-2prm Nov 5, 2025

Package
github.com/opencontainers/runc (Go)

Affected versions
<=1.2.7, <=1.3.2, <=1.4.0-rc.2

Patched versions
1.2.8, 1.3.3, 1.4.0-rc.3

github.com/opencontainers/selinux (Go)
Affected versions
<=1.12.0
Patched versions
None


Description

Impact

This attack is primarily a more sophisticated version of
CVE-2019-19921, which was a flaw which allowed an attacker to trick
runc into writing the LSM process labels for a container process into
a dummy tmpfs file and thus not apply the correct LSM labels to the
container process. The mitigation we applied for CVE-2019-19921 was
fairly limited and effectively only caused runc to verify
that when we write LSM labels that those labels are actual procfs
files.

Rather than using a fake tmpfs file for /proc/self/attr/<label>, an
attacker could instead (through various means) make
/proc/self/attr/<label> reference a real procfs file, but one that
would still be a no-op (such as /proc/self/sched). This would have the
same effect but would clear the "is a procfs file" check. We were
aware that this kind of attack would be possible (even going so far
as to discuss this publicly as "future work" at conferences), and we
were working on a far more comprehensive mitigation of this attack,
but this security issue was disclosed before we could complete
this work.

In all known versions of runc, an attacker can trick runc into
misdirecting writes to /proc to other procfs files through the use of
a racing container with shared mounts (we have also verified this
attack is possible to exploit using a standard Dockerfile with docker
buildx build as that also permits triggering parallel execution of
containers with custom shared mounts configured). This redirect could
be through symbolic links in a tmpfs or theoretically other methods
such as regular bind-mounts.

Note that while /proc/self/attr/<label> was the example used above
(which is LSM-specific), this issue affect all writes to /proc in runc
and thus also affects sysctls (written to /proc/sys/...) and some
other APIs.


Additional Impacts

While investigating this issue, we discovered that another risk with
these redirected writes is that they could be redirected to dangerous
files such as /proc/sysrq-trigger rather than just no-op files like
/proc/self/sched. For instance, the default AppArmor profile name in
Docker is docker-default, which when written to /proc/sysrq-trigger
would cause the host system to crash.

When this was discovered, we conducted an audit of other write
operations within runc and found several possible areas where runc
could be used as a semi-arbitrary write gadget when combined with the
above race attacks. The most concerning attack scenario was the
configuration of sysctls. Because the contents of the sysctl are
free-form text, an attacker could use a misdirected write to write to
/proc/sys/kernel/core_pattern and break out of the container (as
described in CVE-2025-31133, kernel upcalls are not namespaced and so
coredump helpers will run with complete root privileges on the host).
Even if the attacker cannot configure custom sysctls, a valid sysctl
string (when redirected to /proc/sysrq-trigger) can easily cause the
machine to hang.

Note that the fact that this attack allows you to disable LSM labels
makes it a very useful attack to combine with CVE-2025-31133 (as one
of the only mitigations available to most users for that issue is
AppArmor, and this attack would let you bypass that). However, the
misdirected write issue above means that you could also achieve most
of the same goals without needing to chain together attacks.

Taking the above additional impacts into account, this attack was
analysed as having a CVSSv4 severity of 7.3 (High) using the vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H.


Patches

This advisory is being published as part of a set of three advisories:

    CVE-2025-31133
    CVE-2025-52881
    CVE-2025-52565

The patches fixing this issue have accordingly been combined into a
single patchset. The following patches from that patchset resolve the
issues in this advisory:

    db19bbe ("internal/sys: add VerifyInode helper")
    6fc1914 ("internal: move utils.MkdirAllInRoot to internal/pathrs")
    ff94f99 ("*: switch to safer securejoin.Reopen")
    44a0fcf ("go.mod: update to github.com/cyphar/filepath-securejoin@v0.5.0")
    77889b5 ("internal: add wrappers for securejoin.Proc*")
    fdcc9d3 ("apparmor: use safe procfs API for labels")
    ff6fe13 ("utils: use safe procfs for /proc/self/fd loop code")
    b3dd1bc ("utils: remove unneeded EnsureProcHandle")
    77d217c ("init: write sysctls using safe procfs API")
    435cc81 ("init: use securejoin for /proc/self/setgroups")
    d61fd29 ("libct/system: use securejoin for /proc/$pid/stat")
    4b37cd9 ("libct: align param type for mountCgroupV1/V2 functions")
    d40b343 ("rootfs: switch to fd-based handling of mountpoint targets")
    ed6b169 ("selinux: use safe procfs API for labels")

        Please note that this patch includes a private patch for
        github.com/opencontainers/selinux that could not be made
        public through a public pull request (as it would necessarily
        disclose this embargoed security issue).

        The patch includes a complete copy of the forked code and a
        replace directive (as well as go mod vendor applied), which
        should still work with downstream build systems. If you cannot
        apply this patch, you can safely drop it -- some of the other
        patches in this series should block these kinds of racing mount
        attacks entirely.

        See opencontainers/selinux#237 for the upstream patch.
    3f92552 ("rootfs: re-allow dangling symlinks in mount targets")
    a41366e ("openat2: improve resilience on busy systems")

runc 1.2.8, 1.3.3, and 1.4.0-rc.3 have been released and all contain
fixes for these issues. As per our new release model, runc 1.1.x and
earlier are no longer supported and thus have not been patched.


Mitigations

    Do not run untrusted container images from unknown or unverified
    sources.

    For the basic no-op attack, this attack allows a container process
    to run with the same LSM labels as runc. For most AppArmor
    deployments this means it will be unconfined, and for SELinux it
    will likely be container_runtime_t. We haven't conducted in-depth
    testing of the impact on SELinux -- it is possible that it provides
    some reasonable protection but it seems likely that an attacker
    could cause harm to systems even with such an SELinux setup.

    For the more involved redirect and write gadget attacks,
    unfortunately most LSM profiles (including the standard
    container-selinux profiles) provide the container runtime access to
    sysctl files (including /proc/sysrq-trigger) and so LSMs likely do
    not provide much protection against these attacks.

    Using rootless containers provides some protection against these
    kinds of bugs (privileged writes in runc being redirected) -- by
    having runc itself be an unprivileged process, in general you would
    expect the impact scope of a runc bug to be less severe as it would
    only have the privileges afforded to the host user which spawned
    runc. For this particular bug, the privilege escalation caused by
    the inadvertent write issue is entirely mitigated with rootless
    containers because the unprivileged user that the runc process is
    executing as cannot write to the aforementioned procfs files (even
    intentionally).


References

    GHSA-cgrx-mc8f-2prm
    CVE-2019-19921
    https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs
    https://docs.rs/pathrs/latest/pathrs/procfs/struct.ProcfsHandle.html
    https://youtu.be/tGseJW_uBB8
    https://youtu.be/y1PaBzxwRWQ


Other Runtimes

As this vulnerability boils down to a fairly easy-to-make logic bug,
we have provided information to other OCI (crun, youki) and non-OCI
(LXC) container runtimes about this vulnerability.

Based on discussions with other runtimes, it seems that crun and youki
may have similar security issues and will release a co-ordinated
security release along with runc. LXC appears to use the host's /proc
for all procfs operations, and so is likely not vulnerable to this
issue (this is a trade-off -- runc uses the container's procfs to avoid
CVE-2016-9962-style attacks).


Credits

Thanks to Li Fubang (@lifubang from acmcoder.com, CIIC) and Tõnis
Tiigi (@tonistiigi from Docker) for both independently discovering
this vulnerability, as well as Aleksa Sarai (@cyphar from SUSE) for
the original research into this class of security issues and
solutions.

Additional thanks go to Tõnis Tiigi for finding some very useful
exploit templates for these kinds of race attacks using docker
buildx build.


Severity
High
7.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Local
Attack Complexity Low
Attack Requirements Present
Privileges Required Low
User interaction Active
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVE ID
CVE-2025-52881

Weaknesses
Weakness CWE-61
Weakness CWE-363


Credits

    @tonistiigi tonistiigi Finder
    @cyphar cyphar Finder
    @lifubang lifubang Finder

_____________________________________________________________________


container escape with malicious config due to /dev/console mount and
related races
High
cyphar published GHSA-qw9x-cqr3-wc7r Nov 5, 2025

Package
github.com/opencontainers/runc (Go)

Affected versions
>=v1.0.0-rc3, <=1.2.7, <=1.3.2, <=1.4.0-rc.2

Patched versions
1.2.8, 1.3.3, 1.4.0-rc.3


Description

Impact

This attack is very similar in concept and application to
CVE-2025-31133, except that it attacks a similar vulnerability in a
different target (namely, the bind-mount of /dev/pts/$n to /dev/console
as configured for all containers that allocate a console).

In runc version 1.0.0-rc3 and later, due to insufficient checks when
bind-mounting /dev/pts/$n to /dev/console inside the container, an
attacker can trick runc into bind-mounting paths which would normally
be made read-only or be masked onto a path that the attacker can write
to. This happens after pivot_root(2), so this cannot be used to write
to host files directly -- however, as with CVE-2025-31133, this can
load to denial of service of the host or a container breakout by
providing the attacker with a writable copy of /proc/sysrq-trigger or
/proc/sys/kernel/core_pattern (respectively).

The reason that the attacker can gain write access to these files is
because the /dev/console bind-mount happens before maskedPaths and
readonlyPaths are applied.

This attack was analysed as having a CVSSv4 severity of 7.3 (High)
using the vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H.


Additional Findings

While investigating this issue, we discovered some other theoretical
issues that may or may not be exploitable, as well as taking the
opportunity to fix some fairly well-known issues related to consoles.

Issue 1: Problematic Usage of os.Create

Go provides an os.Create function for creating files, which older
code in runc (dating back to the original libcontainer from the early
2010s) had a tendency to use fairly liberally. os.Create implies
O_CREAT|O_TRUNC but by design it does not apply O_NOFOLLOW nor O_EXCL,
meaning if the target is swapped with a malicious symlink runc can be
tricked into truncating host files (which can lead to denial of
service attacks, among other concerns).

We conducted an audit of all os.Create usages in runc and found some
suspicious usages related to device inodes, but based on our testing
these were not exploitable in practice. We now have custom code lints
to block any os.Create usage in runc, and plan to do a further audit
of any other plain os.* operation usage throughout runc after this
advisory becomes public.

CVE-2024-45310 was a similar attack but without the O_TRUNC component
(which resulted in a "Low" severity) -- a similar attack being
exploitable would've been much more severe. As this attack did not
appear to be exploitable, we did not assign a CVSS vector for this
theoretical attack.

Issue 2: Malicious /dev/pts/$n Inode Attacks (TIOCGPTPEER)

The (very) classic API for constructing consoles involves first
opening /dev/ptmx for reading and writing. This allocates a new
pseudo-terminal and the returned file descriptor is the "master" end
(which is used by higher-level runtimes to do I/O with the container).

Traditionally, in order to get the "slave" end, you do
ioctl(ptm, TIOCGPTN) to get the pseudo-terminal number and then open
the file in /dev/pts/ with the corresponding base-10 decimal number of
the number returned by TIOCGPTN. The naive way of doing this is
vulnerable to very basic race attacks where /dev/pts/$n is replaced
with a different pseudo-terminal or other malicious file.

In order to provide a mechanism to mitigate this risk, Aleksa Sarai
(@cyphar from SUSE) implemented TIOCGPTPEER back in 2017 to provide a
race-free way of doing the last TIOCGPTN step by opening the peer end
of the pseudo-terminal directly. However, at the time it was believed
to be too impractical to implement this protection in runc due to its
no-monitor-process architecture (unlike runtimes like LXC which made
use of TIOCGPTPEER almost immediately). While working on this advisory,
we found a way to make TIOCGPTN usage on pre-4.13 kernels still safe
against race attacks and so have implemented both TIOCGPTPEER support
as well as safe TIOCGPTN support as a fallback.

Another possible target of attack would be replacing /dev/ptmx or
/dev/pts/ptmx with a different inode and tricking runc into trying
to operate on it. This is very similar to the core issue in
CVE-2025-31133 and had a similar solution.

Our analysis was that while this attack appears to be potentially
problematic in theory, it seems unlikely to actually be exploitable
due to how consoles are treated (runc tries to do several
pseudo-terminal-specific ioctls and will error out if they fail --
which happens for most other file types). In principle you could
imagine a DoS attack using a disconnected NFS handle but it seems
impractical to exploit. However, we felt it prudent to include a
solution (and this also provides a safe mechanism to get the source
mount for the /dev/console bind-mount issue at the beginning of this
advisory).

As this attack did not appear to be exploitable, we did not assign a
CVSS vector for this theoretical attack.


Patches

This advisory is being published as part of a set of three advisories:

    CVE-2025-31133
    CVE-2025-52881
    CVE-2025-52565

The patches fixing this issue have accordingly been combined into a
single patchset. The following patches from that patchset resolve the
issues in this advisory:

    db19bbe ("internal/sys: add VerifyInode helper")
    ff94f99 ("*: switch to safer securejoin.Reopen")
    531ef79 ("console: use TIOCGPTPEER when allocating peer PTY")
    398955b ("console: add fallback for pre-TIOCGPTPEER kernels")
    9be1dbf ("console: avoid trivial symlink attacks for /dev/console")
    de87203 ("console: verify /dev/pts/ptmx before use")
    01de9d6 ("rootfs: avoid using os.Create for new device inodes")
    aee7d3f ("ci: add lint to forbid the usage of os.Create")

runc 1.2.8, 1.3.3, and 1.4.0-rc.3 have been released and all contain
fixes for these issues. As per our new release model, runc 1.1.x and
earlier are no longer supported and thus have not been patched.


Mitigations

    Use containers with user namespaces (with the host root user not
    mapped into the container's user namespace). This will block most
    of the most serious aspects of these attacks, as the procfs files
    used for the container breakout use Unix DAC permissions and user
    namespaced users will not have access to the relevant files.

    An attacker would still be able to bind-mount host paths into the
    container but if the host uids and gids mapped into the container
    do not overlap with ordinary users on the host (which is the
    generally recommended configuration) then the attacker would likely
    not be able to read or write to most sensitive host files
    (depending on the Unix DAC permissions of the host files). Note that
    this is still technically more privilege than an unprivileged user
    on the host -- because the bind-mount is done by a privileged
    process, the attacker would be able to get access to directories
    whose parents may have denied search access (i.e., they may be able
    to access paths inside a chmod 700 directory that would normally
    block them from resolving subpaths).

    We would also like to take this opportunity to re-iterate that we
    strongly recommend all users use user namespaced containers. They
    have proven to be one of the best security hardening mechanisms
    against container breakouts, and the kernel applies additional
    restrictions to user namespaced containers above and beyond the
    user remapping functionality provided. With the advent of
    id-mapped mounts (Linux 5.12), there is very little reason to
    not use user namespaces for most applications. Note that using user
    namespaces to configure your container does not mean you have to
    enable unprivileged user namespace creation inside the container
    -- most container runtimes apply a seccomp-bpf profile which blocks
    unshare(CLONE_NEWUSER) inside containers regardless of whether the
    container itself uses user namespaces.

    Rootless containers can provide even more protection if your
    configuration can use them -- by having runc itself be an
    unprivileged process, in general you would expect the impact scope
    of a runc bug to be less severe as it would only have the
    privileges afforded to the host user which spawned runc.

    For non-user namespaced containers, configure all containers you
    spawn to not permit processes to run with root privileges. In
    most cases this would require configuring the container to use a
    non-root user and enabling noNewPrivileges to disable any setuid
    or set-capability binaries. (Note that this is our general
    recommendation for a secure container setup -- it is very
    difficult, if not impossible, to run an untrusted program with
    root privileges safely.) If you need to use ping in your
    containers, there is a net.ipv4.ping_group_range sysctl that can be
    used to allow unprivileged users to ping without requiring setuid
    or set-capability binaries.

    Do not run untrusted container images from unknown or unverified
    sources.

    The default containers-selinux SELinux policy mitigates this
    issue, as (unlike CVE-2025-31133) the /dev/console bind-mount
    does not get relabeled and so the container process cannot write
    to the bind-mounted procfs file by default.

    Please note that CVE-2025-52881 allows an attacker to bypass LSM
    labels, and so this mitigation is not that helpful when
    considered in combination with CVE-2025-52881.

    The default AppArmor policy used by Docker and Podman does not
    mitigate this issue (as access to /dev/console) is usually
    permitted. Users could create a custom profile that blocks
    access to /dev/console, but such a profile might break regular
    containers.

    Please note that CVE-2025-52881 allows an attacker to bypass
    LSM labels, and so the mitigation provided with a custom profile
    is not that helpful when considered in combination with
    CVE-2025-52881.


References

    GHSA-qw9x-cqr3-wc7r
    https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=54ebbfb1603415d9953c150535850d30609ef077 ("tty: add TIOCGPTPEER ioctl")

Other Runtimes

As this vulnerability boils down to a fairly easy-to-make logic bug,
we have provided information to other OCI (crun, youki) and non-OCI
(LXC) container runtimes about this vulnerability.

Based on discussions with other runtimes, it seems that crun and youki
may have similar security issues and will release a co-ordinated
security release along with runc. LXC appears to also be vulnerable in
some aspects, but their security stance is (understandably) that
non-user-namespaced containers are fundamentally insecure by design.


Credits

Thanks to Lei Wang (@ssst0n3 from Huawei) and Li Fubang (@lifubang
from acmcoder.com, CIIC) for discovering and reporting the main
/dev/console bind-mount vulnerability, as well as Aleksa Sarai
(@cyphar from SUSE) for discovering Issues 1 and 2 and the original
research into these classes of issues several years ago.

Severity
High
7.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Local
Attack Complexity Low
Attack Requirements Present
Privileges Required Low
User interaction Active
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVE ID
CVE-2025-52565

Weaknesses
Weakness CWE-61
Weakness CWE-363


Credits

    @ssst0n3 ssst0n3 Finder
    @lifubang lifubang Finder
    @cyphar cyphar Finder


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================