runc CVE-2025-52565 Container Escape via /dev/console Mount Race

Vulnerability Summary Vulnerability Name: container escape with malicious config due to /dev/console mount and related races Vulnerability ID: CVE-2025-52565 Severity: 7.3/10 (High) Affected Versions: >=v1.0.0-rc3, <=1.2.7, <=1.3.2, <=1.4.0-rc.2 Fixed Versions: 1.2.8, 1.3.3, 1.4.0-rc.3 Impact This attack is similar to CVE-2025-31133 but targets a different vector: all containers assigned a console that bind-mounts /dev/pts/$n to /dev/console. Attackers can spoof this mount to a path they can write to, bypassing runc’s checks, leading to denial-of-service of host services or container compromise by providing a writable copy of /proc/sysrq-trigger. Patch Released together with fixes for another vulnerability (CVE-2025-31133) and related issues. Specific runc fixes are available in versions 1.2.8, 1.3.3, and 1.4.0-rc.3. Mitigation Use containers with user namespaces (where the host root user is not mapped to the container’s user namespace). This mitigates most severe aspects of these attacks, as procfs files accessible to the container’s user will not be accessible to the host. For non-user-namespace containers, configure all containers to run processes without root privileges. This typically requires running containers with a non-root user and enabling to disable any setuid or set-capability binaries. Avoid using untrusted container images from unknown or unverified sources. The default container SELinux policy mitigates this issue. Unlike CVE-2025-31133, the /dev/console bind-mount is not relabeled, so container processes cannot write to the bind-mounted procfs files by default. Docker and Podman’s default AppArmor profiles do not provide protection. Users can create a custom profile to block access to /dev/console. References GHSA-qw9x-cqr3-wc7r https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=54ebbfb1603415d9953c150535850d30609ef077 (tty: add TIOCGPTPEER ioctl!)

Goal Reached Thanks to every supporter — we hit 100%!

runc CVE-2025-52565 Container Escape via /dev/console Mount Race

More from this source