Linuxfoundation Runc vulnerabilities

CVE-2025-52565 [HIGH] CVE-2025-52565: runc is a CLI tool for spawning and running containers according to the OCI specification. Versions runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be

CVE-2025-52881 [HIGH] CVE-2025-52881: runc is a CLI tool for spawning and running containers according to the OCI specification. In versio runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile wit

CVE-2025-31133 [HIGH] CWE-61 CVE-2025-31133: runc is a CLI tool for spawning and running containers according to the OCI specification. In versio runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container

CVE-2024-45310 [LOW] CWE-61 CVE-2024-45310: runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1. runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could b

CVE-2024-21626 [HIGH] CWE-403 CVE-2024-21626: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access

CVE-2023-28642 [MEDIUM] CWE-281 CVE-2023-28642: runc is a CLI tool for spawning and running containers according to the OCI specification. It was fo runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upg

CVE-2023-25809 [MEDIUM] CWE-281 CVE-2023-25809: runc is a CLI tool for spawning and running containers according to the OCI specification. In affect runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|

CVE-2023-27561 [HIGH] CVE-2023-27561: runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libc runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.

CVE-2022-29162 [MEDIUM] CWE-276 CVE-2022-29162: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate t

CVE-2022-24769 [MEDIUM] CWE-732 CVE-2022-24769: Moby is an open-source project created by Docker to enable and accelerate software containerization. Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capa

CVE-2021-43784 [MEDIUM] CWE-190 CVE-2021-43784: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the enco

CVE-2021-30465 [HIGH] CWE-362 CVE-2021-30465: runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit th runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition.

CVE-2019-19921 [HIGH] CWE-706 CVE-2019-19921: runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that hap

CVE-2019-16884 [HIGH] CWE-863 CVE-2019-16884: runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor res runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

CVE-2019-5736 [HIGH] CWE-78 CVE-2019-5736: runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overw runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to whi

CVE-2016-3697 [HIGH] CWE-264 CVE-2016-3697: libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.