Container Misconfiguration Vulnerability in runc Tool by Open Containers Initiative
CVE-2025-52881

7.3HIGH

Key Information:

Vendor

Opencontainers

Status
Runc
Vendor
CVE Published:
6 November 2025

What is CVE-2025-52881?

The runc tool, designed to manage container lifecycle for OCI-compliant containers, faces a vulnerability that allows attackers to manipulate the expected behavior of the container's filesystem. This is achieved by creating a racing condition where writes intended for specific procfs files are redirected to others, potentially exposing sensitive data or leading to unintended side effects. This misdirection can be exploited using shared mounts and symbolic links in a tmpfs, leveraging Docker build configurations. The issue has been addressed in subsequent versions, ensuring that write operations adhere to strict checks for procfs file integrity.

Affected Version(s)

runc <= 1.2.7, < 1.2.8 < 1.2.7, 1.2.8

runc <= 1.3.2, < 1.3.3 < 1.3.2, 1.3.3

runc <= 1.4.0-rc.2, < 1.4.0-rc.3 < 1.4.0-rc.2, 1.4.0-rc.3

References

https://github.com/opencontainers/runc/security/advisorie...
x_refsource_CONFIRM
https://github.com/opencontainers/runc/security/advisorie...
x_refsource_MISC
https://github.com/opencontainers/runc/security/advisorie...
x_refsource_MISC

CVSS V4

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-52881 : Container Misconfiguration Vulnerability in runc Tool by Open Containers Initiative