8.4

CVE-2025-52565

Exploit

container escape due to /dev/console mount and related races

runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxfoundationRunc Version >= 1.0.1 < 1.2.8
LinuxfoundationRunc Version >= 1.3.0 < 1.3.3
LinuxfoundationRunc Version1.0.0 Updaterc3
LinuxfoundationRunc Version1.0.0 Updaterc4
LinuxfoundationRunc Version1.0.0 Updaterc5
LinuxfoundationRunc Version1.0.0 Updaterc6
LinuxfoundationRunc Version1.0.0 Updaterc7
LinuxfoundationRunc Version1.0.0 Updaterc8
LinuxfoundationRunc Version1.0.0 Updaterc9
LinuxfoundationRunc Version1.0.0 Updaterc90
LinuxfoundationRunc Version1.0.0 Updaterc91
LinuxfoundationRunc Version1.0.0 Updaterc92
LinuxfoundationRunc Version1.0.0 Updaterc93
LinuxfoundationRunc Version1.0.0 Updaterc94
LinuxfoundationRunc Version1.0.0 Updaterc95
LinuxfoundationRunc Version1.4.0 Updaterc1
LinuxfoundationRunc Version1.4.0 Updaterc2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.52% 0.406
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 0.8 6
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
security-advisories@github.com 8.4 0 0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-363 Race Condition Enabling Link Following

The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.

CWE-61 UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64
Patch
https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4
Patch
https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398
Patch
https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e
Patch
https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d
Patch
https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a
Patch
https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8
Patch
https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480
Patch
https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r
Patch
Third Party Advisory
Exploit
Mitigation