Three severe vulnerabilities have been identified in the container runtime environment runC, which is used by Docker, Kubernetes, and other platforms. Attackers can exploit the flaws to escape the containers and ultimately gain root access to the host system.
RunC is a CLI tool for spawning and running containers according to the Open Container Initiative (OCI) specification. Administrators of any software running it are recommended to update to the latest releases due to severe vulnerabilities that enable container breakouts.
According to Aleksa Sarai, Senior Software Engineer at SUSE Linux, more than 20 patches were released to resolve three runC issues. The patches “are quite large” and “quite deep.”
Amazon Web Services (AWS) has issued a bulletin to customers, noting no cross-customer risks, but advising them to update environments to the updated runC versions.
While no active exploits have been identified, the core risk is that an attacker could trick runC and bypass container isolation.
The first flaw, tracked as CVE‑2025‑31133, exploits an issue with how “masked paths” are implemented in runC. The software will not perform sufficient verification if attackers have tampered with the /dev/null file. Malicious actors can replace this file in a compromised container with a link to a sensitive host system file, and runC would accidentally give them access to it.
“This enables writing to critical files, such as /proc/sys/kernel/core_pattern, to escape the container,” Sysdig, a security company, writes in an advisory.
The second flaw, CVE-2025-52565, can be abused during container initialization to gain write access to protected process file system (procfs) files.
The last vulnerability, CVE-2025-52881, enables attackers inside a container to trick runC into misdirecting writes to sensitive system files in /proc, a special Linux folder created by the system.
Security researchers urge updating runC to version 1.2.8, 1.3.3, or 1.4.0-rc.3 or later, and applying patches released by vendors on cloud platforms.
“Enable user namespaces for all containers, which blocks the most serious attack vectors, as user namespace processes lack access to the procfs files required for exploitation,” Sysdig recommends.
“Use rootless containers where possible to limit the scope of vulnerabilities.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked