CVE-2025-52881
published 2025-11-06CVE-2025-52881: runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc…
PriorityP344high7.5CVSS 3.1
AVLACHPRLUIRSCCHIHAH
EPSS
0.53%
40.5th percentile
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | runc | < runc 1.3.3+ds1-2 (forky) | runc 1.3.3+ds1-2 (forky) |
| github.com | opencontainers_runc | >= 0 < 1.2.8 | 1.2.8 |
| github.com | opencontainers_runc | >= 1.0.0-rc3 < 1.2.8 | 1.2.8 |
| github.com | opencontainers_runc | >= 1.3.0-rc.1 < 1.3.3 | 1.3.3 |
| github.com | opencontainers_runc | >= 1.4.0-rc.1 < 1.4.0-rc.3 | 1.4.0-rc.3 |
| github.com | opencontainers_selinux | >= 0 < 1.13.0 | 1.13.0 |
| github.com | sylabs_singularity_v4 | >= 0 < 4.1.11 | 4.1.11 |
| github.com | sylabs_singularity_v4 | >= 4.2.0-rc.1 < 4.3.5 | 4.3.5 |
| linuxfoundation | runc | < 1.2.8 | 1.2.8 |
| linuxfoundation | runc | — | — |
| linuxfoundation | runc | >= 0 < 1.3.3+ds1-2 | 1.3.3+ds1-2 |
| linuxfoundation | runc | >= 1.3.0 < 1.3.3 | 1.3.3 |
| msrc | azl3_kubernetes_1.30.10-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.10-16_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.10-18_on_azure_linux_3.0 | — | — |
| msrc | azl3_runc_1.3.3-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kubernetes_1.28.4-19_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubernetes_1.28.4-21_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_moby-runc_1.1.9-9_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa7.3HIGH
osv7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
vendor_msrc7.3HIGH
vendor_debian7.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Singluarity ineffectively applies selinux / apparmor LSM process labels
ghsa·2025-12-02·CVSS 7.3
CVE-2025-64750 [HIGH] CWE-61 Singluarity ineffectively applies selinux / apparmor LSM process labels
Singluarity ineffectively applies selinux / apparmor LSM process labels
### Impact
_**Native Mode (default)**_
Singularity's default native runtime allows users to apply restrictions to container processes using the apparmor or selinux Linux Security Modules (LSMs), via the `--security selinux:` or `--security apparmor:` flags.
LSM labels are written to process or thread `attrs/exec` under `/proc`. If a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. This requires:
* The attacker to cause the user to run a malicious container image that redirects the mount of `/proc` to the destination of a shared mount, either known to be configured on the target system
OSV
Singluarity ineffectively applies selinux / apparmor LSM process labels
osv·2025-12-02·CVSS 7.3
CVE-2025-64750 [HIGH] Singluarity ineffectively applies selinux / apparmor LSM process labels
Singluarity ineffectively applies selinux / apparmor LSM process labels
### Impact
_**Native Mode (default)**_
Singularity's default native runtime allows users to apply restrictions to container processes using the apparmor or selinux Linux Security Modules (LSMs), via the `--security selinux:` or `--security apparmor:` flags.
LSM labels are written to process or thread `attrs/exec` under `/proc`. If a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. This requires:
* The attacker to cause the user to run a malicious container image that redirects the mount of `/proc` to the destination of a shared mount, either known to be configured on the target system
OSV
runc-app, runc-stable regression
osv·2025-11-24·CVSS 7.5
CVE-2025-31133 [HIGH] runc-app, runc-stable regression
runc-app, runc-stable regression
USN-7851-1 fixed vulnerabilities in runC. The introduction of a new
upstream release has caused regressions in runc-app and runc-stable.
This update fixes the problem.
Original advisory details:
Lei Wang and Li Fubang discovered that runC incorrectly handled masked
paths. An attacker could possibly replace a container's /dev/null
with a symlink to some other procfs file and possibly escape a container.
(CVE-2025-31133)
Lei Wang and Li Fubang discovered that runC incorrectly handled the
/dev/console bind-mounts. An attacker could potentially exploit this issue
to build-mount a symlink and escape a container. (CVE-2025-52565)
Li Fubang and Tõnis Tiigi discovered that the fix for CVE-2019-16884 was
incomplete. An attacker could possibly use this issue to
OSV
Container escape and DDoS due to arbitrary write gadgets and procfs write redirects in github.com/opencontainers/runc
osv·2025-11-18
CVE-2025-52881 Container escape and DDoS due to arbitrary write gadgets and procfs write redirects in github.com/opencontainers/runc
Container escape and DDoS due to arbitrary write gadgets and procfs write redirects in github.com/opencontainers/runc
Container escape and DDoS due to arbitrary write gadgets and procfs write redirects in github.com/opencontainers/runc
OSV
CVE-2025-52881: runc is a CLI tool for spawning and running containers according to the OCI specification
osv·2025-11-06·CVSS 7.0
CVE-2025-52881 [HIGH] CVE-2025-52881: runc is a CLI tool for spawning and running containers according to the OCI specification
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs f
OSV
runc container escape via "masked path" abuse due to mount race conditions
osv·2025-11-05
CVE-2025-31133 [HIGH] runc container escape via "masked path" abuse due to mount race conditions
runc container escape via "masked path" abuse due to mount race conditions
### Impact ###
The OCI runtime specification has a `maskedPaths` feature that allows for files or directories to be "masked" by placing a mount on top of them to conceal their contents. This is primarily intended to protect against privileged users in non-user-namespaced from being able to write to files or access directories that would either provide sensitive information about the host to containers or allow containers to perform destructive or other privileged operations on the host (examples include `/proc/kcore`, `/proc/timer_list`, `/proc/acpi`, and `/proc/keys`).
`maskedPaths` can be used to either mask a directory or a file -- directories are masked using a new read-only `tmpfs` instance that is mounted on
GHSA
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
ghsa·2025-11-05·CVSS 7.0
CVE-2025-52881 [HIGH] CWE-363 runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
### Impact ###
This attack is primarily a more sophisticated version of CVE-2019-19921, which was a flaw which allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy `tmpfs` file and thus not apply the correct LSM labels to the container process. The mitigation runc applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when runc writes LSM labels that those labels are actual procfs files.
Rather than using a fake `tmpfs` file for `/proc/self/attr/`, an attacker could instead (through various means) make `/proc/self/attr/` reference a real `procfs` file, but one that would still be a no-op (such a
OSV
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
osv·2025-11-05·CVSS 7.0
CVE-2025-52881 [HIGH] runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
### Impact ###
This attack is primarily a more sophisticated version of CVE-2019-19921, which was a flaw which allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy `tmpfs` file and thus not apply the correct LSM labels to the container process. The mitigation runc applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when runc writes LSM labels that those labels are actual procfs files.
Rather than using a fake `tmpfs` file for `/proc/self/attr/`, an attacker could instead (through various means) make `/proc/self/attr/` reference a real `procfs` file, but one that would still be a no-op (such a
OSV
runc container escape with malicious config due to /dev/console mount and related races
osv·2025-11-05·CVSS 7.3
CVE-2025-52565 [HIGH] runc container escape with malicious config due to /dev/console mount and related races
runc container escape with malicious config due to /dev/console mount and related races
### Impact ###
This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console).
In runc version 1.0.0-rc3 and later, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denia
GHSA
runc container escape with malicious config due to /dev/console mount and related races
ghsa·2025-11-05·CVSS 7.3
CVE-2025-52565 [HIGH] CWE-363 runc container escape with malicious config due to /dev/console mount and related races
runc container escape with malicious config due to /dev/console mount and related races
### Impact ###
This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console).
In runc version 1.0.0-rc3 and later, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denia
GHSA
runc container escape via "masked path" abuse due to mount race conditions
ghsa·2025-11-05
CVE-2025-31133 [HIGH] CWE-363 runc container escape via "masked path" abuse due to mount race conditions
runc container escape via "masked path" abuse due to mount race conditions
### Impact ###
The OCI runtime specification has a `maskedPaths` feature that allows for files or directories to be "masked" by placing a mount on top of them to conceal their contents. This is primarily intended to protect against privileged users in non-user-namespaced from being able to write to files or access directories that would either provide sensitive information about the host to containers or allow containers to perform destructive or other privileged operations on the host (examples include `/proc/kcore`, `/proc/timer_list`, `/proc/acpi`, and `/proc/keys`).
`maskedPaths` can be used to either mask a directory or a file -- directories are masked using a new read-only `tmpfs` instance that is mounted on
OSV
runc-app, runc-stable vulnerabilities
osv·2025-11-04·CVSS 7.5
CVE-2025-31133 [HIGH] runc-app, runc-stable vulnerabilities
runc-app, runc-stable vulnerabilities
Lei Wang and Li Fubang discovered that runC incorrectly handled masked
paths. An attacker could possibly replace a container's /dev/null
with a symlink to some other procfs file and possibly escape a container.
(CVE-2025-31133)
Lei Wang and Li Fubang discovered that runC incorrectly handled the
/dev/console bind-mounts. An attacker could potentially exploit this issue
to build-mount a symlink and escape a container. (CVE-2025-52565)
Li Fubang and Tõnis Tiigi discovered that the fix for CVE-2019-16884 was
incomplete. An attacker could possibly use this issue to cause a denial of
service or escape the container. (CVE-2025-52881)
Ubuntu
runC regression
vendor_ubuntu·2025-11-24·CVSS 7.5
[HIGH] runC regression
Title: runC regression
Summary: USN-7851-1 introduced a regression in runC
USN-7851-1 fixed vulnerabilities in runC. The introduction of a new
upstream release has caused regressions in runc-app and runc-stable.
This update fixes the problem.
Original advisory details:
Lei Wang and Li Fubang discovered that runC incorrectly handled masked
paths. An attacker could possibly replace a container's /dev/null
with a symlink to some other procfs file and possibly escape a container.
(CVE-2025-31133)
Lei Wang and Li Fubang discovered that runC incorrectly handled the
/dev/console bind-mounts. An attacker could potentially exploit this issue
to build-mount a symlink and escape a container. (CVE-2025-52565)
Li Fubang and Tõnis Tiigi discovered that the fix for CVE-2019-16884 was
incomplete. An
Microsoft
runc: LSM labels can be bypassed with malicious config using dummy procfs files
vendor_msrc·2025-11-11·CVSS 7.3
CVE-2025-52881 [HIGH] CWE-61 runc: LSM labels can be bypassed with malicious config using dummy procfs files
runc: LSM labels can be bypassed with malicious config using dummy procfs files
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Red Hat
runc: container escape with malicious config due to /dev/console mount and related races
vendor_redhat·2025-11-05·CVSS 7.3
CVE-2025-52565 [HIGH] CWE-59 runc: container escape with malicious config due to /dev/console mount and related races
runc: container escape with malicious config due to /dev/console mount and related races
runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens af
Red Hat
runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects
vendor_redhat·2025-11-05·CVSS 7.5
CVE-2025-52881 [HIGH] CWE-59 runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects
runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-
Red Hat
runc: container escape via 'masked path' abuse due to mount race conditions
vendor_redhat·2025-11-05·CVSS 7.3
CVE-2025-31133 [HIGH] CWE-59 runc: container escape via 'masked path' abuse due to mount race conditions
runc: container escape via 'masked path' abuse due to mount race conditions
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
A flaw was found in runc. This flaw exploits an issue with how masked paths are implementedin runc. When mask
Ubuntu
runC vulnerabilities
vendor_ubuntu·2025-11-04·CVSS 7.5
CVE-2025-52565 [HIGH] runC vulnerabilities
Title: runC vulnerabilities
Summary: Several security issues were fixed in runC.
Lei Wang and Li Fubang discovered that runC incorrectly handled masked
paths. An attacker could possibly replace a container's /dev/null
with a symlink to some other procfs file and possibly escape a container.
(CVE-2025-31133)
Lei Wang and Li Fubang discovered that runC incorrectly handled the
/dev/console bind-mounts. An attacker could potentially exploit this issue
to build-mount a symlink and escape a container. (CVE-2025-52565)
Li Fubang and Tõnis Tiigi discovered that the fix for CVE-2019-16884 was
incomplete. An attacker could possibly use this issue to cause a denial of
service or escape the container. (CVE-2025-52881)
Instructions: This update uses a new upstream release, which includes additiona
Debian
CVE-2025-52881: runc - runc is a CLI tool for spawning and running containers according to the OCI spec...
vendor_debian·2025·CVSS 7.0
CVE-2025-52881 [HIGH] CVE-2025-52881: runc - runc is a CLI tool for spawning and running containers according to the OCI spec...
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs f
No detection rules found.
No public exploits indexed.
Bugzilla
[Minor Incident] CVE-2025-52881 cri-tools: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 cri-tools: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 cri-tools: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora
Bugzilla
[Minor Incident] CVE-2025-52881 cri-o1.30: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 cri-o1.30: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 cri-o1.30: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora
Bugzilla
[Minor Incident] CVE-2025-52881 image-builder: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 image-builder: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 image-builder: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fe
Bugzilla
[Minor Incident] CVE-2025-52881 cri-tools1.29: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 cri-tools1.29: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 cri-tools1.29: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fe
Bugzilla
[Minor Incident] CVE-2025-52881 osbuild-composer: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 osbuild-composer: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 osbuild-composer: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for
Bugzilla
[Minor Incident] CVE-2025-52881 cri-o1.34: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 cri-o1.34: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 cri-o1.34: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
GO-2025-4098
---
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing
Bugzilla
[Minor Incident] CVE-2025-52881 cri-o1.33: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 cri-o1.33: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 cri-o1.33: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
https://pkg.go.dev/vuln/GO-2025-4098
---
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop
Bugzilla
[Minor Incident] CVE-2025-52881 golang-github-opencontainers-selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 golang-github-opencontainers-selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 golang-github-opencontainers-selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and
Bugzilla
[Minor Incident] CVE-2025-52881 kubernetes1.31: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 kubernetes1.31: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 kubernetes1.31: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for F
Bugzilla
[Minor Incident] CVE-2025-52881 cri-tools1.34: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 cri-tools1.34: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 cri-tools1.34: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fe
Bugzilla
[Minor Incident] CVE-2025-52881 source-to-image: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 source-to-image: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 source-to-image: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for
Bugzilla
[Minor Incident] CVE-2025-52881 cri-o1.32: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 cri-o1.32: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 cri-o1.32: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
govulncheck confirmed: https://pkg.go.dev/vuln/GO-2025-4098
---
This message is a reminder that Fedora Linux 42 is nearing its end of
Bugzilla
[Minor Incident] CVE-2025-52881 cri-tools1.32: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 cri-tools1.32: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 cri-tools1.32: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fe
Bugzilla
[Minor Incident] CVE-2025-52881 pack: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 pack: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 pack: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linu
Bugzilla
[Minor Incident] CVE-2025-52881 cri-o: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 cri-o: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 cri-o: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Lin
Bugzilla
[Minor Incident] CVE-2025-52881 runc: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-43]
bugzilla·2025-12-19·CVSS 7.5
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 runc: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-43]
[Minor Incident] CVE-2025-52881 runc: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Bugzilla
[Minor Incident] CVE-2025-52881 kubernetes1.30: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 kubernetes1.30: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 kubernetes1.30: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for F
Bugzilla
[Minor Incident] CVE-2025-52881 cri-tools1.31: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 cri-tools1.31: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 cri-tools1.31: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fe
Bugzilla
[Minor Incident] CVE-2025-52881 cri-o1.29: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 cri-o1.29: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 cri-o1.29: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora
Bugzilla
[Minor Incident] CVE-2025-52881 cri-o1.31: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 cri-o1.31: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 cri-o1.31: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora
Bugzilla
[Minor Incident] CVE-2025-52881 cri-tools1.30: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-12-19·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 cri-tools1.30: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 cri-tools1.30: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fe
Bugzilla
[Minor Incident] CVE-2025-52881 runc: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
bugzilla·2025-11-05·CVSS 7.3
CVE-2025-52881 [HIGH] [Minor Incident] CVE-2025-52881 runc: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
[Minor Incident] CVE-2025-52881 runc: container escape and denial of service due to arbitrary write gadgets and procfs write redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
In testing
---
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing update
Bugzilla
CVE-2025-52881 runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects
bugzilla·2025-10-17·CVSS 7.5
CVE-2025-52881 [HIGH] CVE-2025-52881 runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects
CVE-2025-52881 runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects
A flaw was found in runc. This attack is a more sophisticated variant of CVE-2019-16884, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation applied for CVE-2019-16884 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:19927 https://access.redhat.com/errata/RHSA-2025:19927
---
This iss
Wiz
Supply Chain Attacks & AI Vulnerabilities: December Cloud Security Update | Wiz
blogs_wiz·2025-12-01·CVSS 10.0
[CRITICAL] Supply Chain Attacks & AI Vulnerabilities: December Cloud Security Update | Wiz
Welcome back! This edition delivers the latest cloud security highlights: key breaches, unique data findings, and must-watch vulnerabilities. Let’s jump in.
🔍 Highlights
Shai-Hulud 2.0: Ongoing Supply Chain Campaign Referencing Shai-Hulud
A new npm supply-chain campaign referencing Shai-Hulud temporarily compromised packages from Zapier, ENS Domains, PostHog, Postman, and others. This wave leveraged temporarily compromised npm maintainer accounts to publish trojanized versions of legitimate packages from major ecosystems. Wiz observed over 25,000 repositories containing secrets across ~350 unique users.
The malicious packages execute code during the preinstall phase, enabling theft of developer and CI/CD secrets and automated propagation to new repositories. Exfiltration is conducted c
Bleepingcomputer
Dangerous runC flaws could allow hackers to escape Docker containers
blogs_bleepingcomputer·2025-11-09·CVSS 7.3
CVE-2025-31133 [HIGH] Dangerous runC flaws could allow hackers to escape Docker containers
## Dangerous runC flaws could allow hackers to escape Docker containers
## Bill Toulas
Three newly disclosed vulnerabilities in the runC container runtime used in Docker and Kubernetes could be exploited to bypass isolation restrictions and get access to the host system.
The security issues, tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 (all ), were reported this week and disclosed by SUSE software engineer and Open Container Initiative (OCI) board member Aleksa Sarai .
runC is a universal container runtime and the OCI reference implementation for running containers. It is responsible for low-level operations such as creating the container process, setting up namespaces, mounts, and cgroups that higher-level tools, like Docker and Kubernetes, can call.
An attacker expl
http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.mdhttps://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6dhttps://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651fhttps://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572dbhttps://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prmhttps://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r
2025-11-06
Published