Insufficient Checks in runc Leading to Potential Container Breakout
CVE-2025-52565
8.4HIGH
What is CVE-2025-52565?
The runc CLI tool, used for spawning and running containers, contains a vulnerability that arises from insufficient checks during the bind-mounting of /dev/pts/$n to /dev/console. This oversight allows an attacker to potentially mount paths that should be read-only, leading to risks of Denial of Service or container breakout situations. By exploiting this vulnerability, an attacker could gain write access to sensitive files within the container or affect the host system. The issue has been addressed in subsequent updates, making it crucial for users to upgrade to the patched versions.
Affected Version(s)
runc >= 1.0.0-rc3, < 1.2.8 < 1.0.0-rc3, 1.2.8
runc >= 1.3.0-rc.1, < 1.3.3 < 1.3.0-rc.1, 1.3.3
runc >= 1.4.0-rc.1, < 1.4.0-rc.3 < 1.4.0-rc.1, 1.4.0-rc.3