Container Escape Vulnerability in runc
CVE-2025-31133

7.3HIGH

Key Information:

Vendor: Opencontainers
Status: Runc
Vendor: CVE Published:; 6 November 2025

🔔 Create Opencontainers Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-31133?

An improper input validation vulnerability exists in runc, allowing malicious users to exploit insufficient checks on the bind-mount source. This flaw can potentially lead to host information disclosure, denial of service, or even a container escape via crafted /dev/null inodes. The vulnerability has been addressed in subsequent releases, specifically in versions 1.2.8, 1.3.3, and 1.4.0-rc.3 which include crucial fixes to enhance container security.

Affected Version(s)

runc < 1.2.8 < 1.2.8

runc >= 1.3.0-rc.1, < 1.3.3 < 1.3.0-rc.1, 1.3.3

runc >= 1.4.0-rc.1, <= 1.4.0-rc.3 <= 1.4.0-rc.1, 1.4.0-rc.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Learn-about-cve-2025-31133-poc
Created by C-h4ck-0

News Articles

BleepingComputer

CVE-2025-31133 CVE-2025-52565

Dangerous runC flaws could allow hackers to escape Docker containers

Three newly disclosed vulnerabilities in the runC container runtime used in Docker and Kubernetes could be exploited to bypass isolation restrictions and get access to the host system.