关键信息 漏洞标题 Container escape and denial of service due to arbitrary write gadgets and procfs write redirects 漏洞ID GHSA-vf95-55w6-qmrF CVE-2025-62596 影响版本 <= 0.5.5 修复版本 0.5.5 严重性 Severity: High CVSS v4 base metrics Exploitability Metrics - Attack Vector: Local - Attack Complexity: Low - Attack Requirements: Present - Privileges Required: Low - User interaction: Active Vulnerable System Impact Metrics - Confidentiality: High - Integrity: High - Availability: High Subsequent System Impact Metrics - Confidentiality: High - Integrity: High - Availability: High 描述 Impact - Youki's AppArmor handling performs insufficiently strict write-target validation, which—combined with path substitution during pathname resolution—can allow writes to unintended procfs locations. Weak write-target check - Youki only verifies that the destination lies somewhere under procfs. As a result, a write intended for /proc/self/attr/apparmor/exec can succeed even if the path has been redirected to /proc/sys/kernel/hostname (which is also in procfs). Path substitution - While resolving a path component-by-component, a shared-mount race can substitute intermediate components and redirect the final target. - Similar logic to CVE in runc. 引用 GHSA-cgrx-mc8f-2prn GitHub link URL references 致谢 Lifu Bang (@lifubang) and Tõnis Tiigi (@tonistiigi) for both independently discovering runc's original vulnerability. Aleksa Sarai (@cyphar) for original research into this class of security issues and solutions.