Debian Runc vulnerabilities

CVE-2025-52565 [HIGH] CVE-2025-52565: runc - runc is a CLI tool for spawning and running containers according to the OCI spec... runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read

CVE-2025-52881 [HIGH] CVE-2025-52881: runc - runc is a CLI tool for spawning and running containers according to the OCI spec... runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker b

CVE-2025-31133 [HIGH] CVE-2025-31133: runc - runc is a CLI tool for spawning and running containers according to the OCI spec... runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to m

CVE-2024-21626 [HIGH] CVE-2024-21626: runc - runc is a CLI tool for spawning and running containers on Linux according to the... runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host file

CVE-2024-45310 [LOW] CVE-2024-45310: runc - runc is a CLI tool for spawning and running containers according to the OCI spec... runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create

CVE-2023-27561 [HIGH] CVE-2023-27561: runc - runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privile... runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. Scope: local bookworm: resolved (fixed i

CVE-2023-28642 [MEDIUM] CVE-2023-28642: runc - runc is a CLI tool for spawning and running containers according to the OCI spec... runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable

CVE-2023-25809 [MEDIUM] CVE-2023-25809: runc - runc is a CLI tool for spawning and running containers according to the OCI spec... runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgr

CVE-2022-29162 [MEDIUM] CVE-2022-29162: runc - runc is a CLI tool for spawning and running containers on Linux according to the... runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities

CVE-2021-30465 [HIGH] CVE-2021-30465: runc - runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Trav... runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition. Scope: local bookworm: resolved (fixed in 1.0.0~rc93+ds1-5) bullseye: res

CVE-2021-43784 [MEDIUM] CVE-2021-43784: runc - runc is a CLI tool for spawning and running containers on Linux according to the... runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handl

CVE-2019-19921 [HIGH] CVE-2019-19921: runc - runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Pri... runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the

CVE-2019-16884 [HIGH] CVE-2019-16884: golang-github-opencontainers-selinux - runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products,... runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. Scope: local bookworm: resolved (fixed in 1.3.0-2) bullseye: resolved (fixed in 1.3.

CVE-2019-5736 [HIGH] CVE-2019-5736: lxc - runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allow... runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker pr

CVE-2016-9962 [MEDIUM] CVE-2016-9962: docker.io - RunC allowed additional container processes via 'runc exec' to be ptraced by the... RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside th

CVE-2016-3697 [HIGH] CVE-2016-3697: docker.io - libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2,... libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2016-8867 [HIGH] CVE-2016-8867: docker.io - Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability ... Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved