Container Escape Vulnerability in runc
CVE-2025-31133

7.3HIGH

Key Information:

Vendor

Opencontainers

Status
Runc
Vendor
CVE Published:
6 November 2025

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-31133?

An improper input validation vulnerability exists in runc, allowing malicious users to exploit insufficient checks on the bind-mount source. This flaw can potentially lead to host information disclosure, denial of service, or even a container escape via crafted /dev/null inodes. The vulnerability has been addressed in subsequent releases, specifically in versions 1.2.8, 1.3.3, and 1.4.0-rc.3 which include crucial fixes to enhance container security.

Affected Version(s)

runc < 1.2.8 < 1.2.8

runc >= 1.3.0-rc.1, < 1.3.3 < 1.3.0-rc.1, 1.3.3

runc >= 1.4.0-rc.1, <= 1.4.0-rc.3 <= 1.4.0-rc.1, 1.4.0-rc.3

News Articles

favicon imageBleepingComputer

Dangerous runC flaws could allow hackers to escape Docker containers

Three newly disclosed vulnerabilities in the runC container runtime used in Docker and Kubernetes could be exploited to bypass isolation restrictions and get access to the host system.

3 weeks ago

References

https://github.com/opencontainers/runc/security/advisorie...
x_refsource_CONFIRM
https://github.com/opencontainers/runc/commit/1a30a8f3d92...
x_refsource_MISC
https://github.com/opencontainers/runc/commit/5d7b2424072...
x_refsource_MISC

CVSS V4

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-31133 : Container Escape Vulnerability in runc