LR pixel

runC Container Escape Vulnerabilities

von | 7. Nov. 2025 | Unkategorisiert | 0 Kommentare

What is the Vulnerability?

High-severity vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) were disclosed in early November 2025. A malicious or compromised container image can abuse how runc handles masked paths, bind-mounts, and special files to write to the host /proc filesystem and escape the container boundary – enabling remote code execution on the host, persistence, or cluster-wide denial-of-service. These issues affect virtually all Linux container stacks that use runc (Docker, containerd, CRI-O, Kubernetes, and managed services)

CVE-2025-31133 – Incorrect handling of masked paths; attacker can replace container /dev/null with a symlink and possibly escape.

CVE-2025-52565 – Incorrect handling of /dev/console bind-mounts; attacker can exploit build-mount symlink to escape.

CVE-2025-52881 – Incomplete fix for earlier CVE-2019-16884 leading to possible DoS or escape.

What is the recommended Mitigation?

Patch runc/update node images: Apply vendor runc updates. AWS lists patched runc (package version runc-1.3.2-2 for Amazon Linux variants) and updated AMIs/Bottlerocket releases; AWS also automated Fargate/ECS updates where applicable. If using other distros, install the distribution-provided patched runc packages per vendor guidance.

Audit & logging: Enable container runtime logs, containerd/dockerd debug for suspicious mount/bind events.

What FortiGuard Coverage is available?

  • FortiGuard Labs continues to closely monitor this vulnerability and associated exploit activity. Users are strongly advised to follow security best practices and apply the latest vendor patches immediately. FortiGuard Labs will update this Threat Signal with additional protective coverage and threat intelligence as the situation evolves.

  • FortiCNAPP Cloud Team is actively investigating the impact on cloud workloads and will provide configuration and remediation guidance as new information becomes available.

  • Incident Response Support: The FortiGuard Incident Response team is available to assist organizations with investigation, containment, and recovery in the event of suspected compromise.