Github.Com Opencontainers Runc vulnerabilities

CVE-2025-52881 [HIGH] CWE-363 runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects ### Impact ### This attack is primarily a more sophisticated version of CVE-2019-19921, which was a flaw which allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy `tmpfs` file and thus not apply the correct LS

CVE-2025-31133 [HIGH] CWE-363 runc container escape via "masked path" abuse due to mount race conditions runc container escape via "masked path" abuse due to mount race conditions ### Impact ### The OCI runtime specification has a `maskedPaths` feature that allows for files or directories to be "masked" by placing a mount on top of them to conceal their contents. This is primarily intended to protect against privileged users in non-user-namespaced from being able to write to files or access dir

CVE-2025-52565 [HIGH] CWE-363 runc container escape with malicious config due to /dev/console mount and related races runc container escape with malicious config due to /dev/console mount and related races ### Impact ### This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). In runc version

CVE-2024-45310 [MEDIUM] CWE-363 runc can be confused to create empty files/directories on the host runc can be confused to create empty files/directories on the host ### Impact runc 1.1.13 and earlier as well as 1.2.0-rc2 and earlier can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with os.MkdirAll. While this can be used to create empty files, existing files **will not** be tru

CVE-2024-21626 [HIGH] CWE-403 runc vulnerable to container breakout through process.cwd trickery and leaked fds runc vulnerable to container breakout through process.cwd trickery and leaked fds ### Impact In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from `runc exec`) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2").

CVE-2023-28642 [HIGH] CWE-281 runc AppArmor bypass with symlinked /proc runc AppArmor bypass with symlinked /proc ### Impact It was found that AppArmor, and potentially SELinux, can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. ### Patches Fixed in runc v1.1.5, by prohibiting symlinked `/proc`: https://github.com/opencontainers/runc/pull/3785 This PR fixes CVE-2023-27561 as well. ### Workarounds Avoid using an untrusted container image.

CVE-2023-25809 [LOW] CWE-281 rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc ### Impact It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl)

CVE-2023-27561 [HIGH] CWE-706 Opencontainers runc Incorrect Authorization vulnerability Opencontainers runc Incorrect Authorization vulnerability runc 1.0.0-rc95 through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to `libcontainer/rootfs_linux.go`. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.

CVE-2022-29162 [MEDIUM] CWE-276 Default inheritable capabilities for linux container should be empty Default inheritable capabilities for linux container should be empty ### Impact A bug was found in runc where `runc exec --cap` executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the c

CVE-2019-16884 [HIGH] CWE-863 Incorrect Authorization in runc Incorrect Authorization in runc runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

CVE-2016-3697 [HIGH] CWE-269 Privilege Elevation in runc Privilege Elevation in runc libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.

CVE-2016-9962 [MEDIUM] CWE-200 Information Exposure in RunC Information Exposure in RunC RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.

CVE-2021-43784 [MEDIUM] CWE-190 Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC ### Impact In runc, [netlink](https://www.man7.org/linux/man-pages/man7/netlink.7.html) is used internally as a serialization system for specifying the relevant container configuration to the C portion of our code (responsible for the b

CVE-2019-19921 [MEDIUM] CWE-362 opencontainers runc contains procfs race condition with a shared volume mount opencontainers runc contains procfs race condition with a shared volume mount ### Impact By crafting a malicious root filesystem (with `/proc` being a symlink to a directory which was inside a volume shared with another running container), an attacker in control of both containers can trick `runc` into not correctly configuring the container's security labels and not correctly masking p

CVE-2021-30465 [HIGH] CWE-22 mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs ### Summary runc 1.0.0-rc94 and earlier are vulnerable to a symlink exchange attack whereby an attacker can request a seemingly-innocuous container configuration that actually results in the host filesystem being bind-mounted into the container (allowing for a container escape). CVE-2021-