Insufficient Checks in runc Leading to Potential Container Breakout
CVE-2025-52565

8.4HIGH

Key Information:

Vendor

Opencontainers

Status
Runc
Vendor
CVE Published:
6 November 2025

Badges

đź“° News Worthy

What is CVE-2025-52565?

The runc CLI tool, used for spawning and running containers, contains a vulnerability that arises from insufficient checks during the bind-mounting of /dev/pts/$n to /dev/console. This oversight allows an attacker to potentially mount paths that should be read-only, leading to risks of Denial of Service or container breakout situations. By exploiting this vulnerability, an attacker could gain write access to sensitive files within the container or affect the host system. The issue has been addressed in subsequent updates, making it crucial for users to upgrade to the patched versions.

Affected Version(s)

runc >= 1.0.0-rc3, < 1.2.8 < 1.0.0-rc3, 1.2.8

runc >= 1.3.0-rc.1, < 1.3.3 < 1.3.0-rc.1, 1.3.3

runc >= 1.4.0-rc.1, < 1.4.0-rc.3 < 1.4.0-rc.1, 1.4.0-rc.3

News Articles

favicon imageBleepingComputer

Dangerous runC flaws could allow hackers to escape Docker containers

Three newly disclosed vulnerabilities in the runC container runtime used in Docker and Kubernetes could be exploited to bypass isolation restrictions and get access to the host system.

3 weeks ago

References

https://github.com/opencontainers/runc/security/advisorie...
x_refsource_CONFIRM
https://github.com/opencontainers/runc/commit/01de9d65dc7...
x_refsource_MISC
https://github.com/opencontainers/runc/commit/398955bccb7...
x_refsource_MISC

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • đź“°

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-52565 : Insufficient Checks in runc Leading to Potential Container Breakout