All errata/c10f2/ALT-PU-2025-15364-4
ALT-PU-2025-15364-4

Package update runc in branch c10f2

Version1.4.0-alt1
Task#401805
Published2026-02-04
Max severityHIGH
Severity:

Closed issues (9)

BDU:2025-14040
HIGH8.2

Уязвимость инструмента для запуска изолированных контейнеров runc, связанная с состоянием гонки, разрешающим отслеживание ссылок, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2025-11-12Modified: 2026-04-27
CVSS 3.xHIGH 8.2
CVSS:3.x/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:L/AC:L/Au:S/C:C/I:C/A:C
References
BDU:2025-14041
HIGH8.2

Уязвимость функции maskedPaths инструмента для запуска изолированных контейнеров runc, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2025-11-12Modified: 2026-04-20
CVSS 3.xHIGH 8.2
CVSS:3.x/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:L/AC:L/Au:S/C:C/I:C/A:C
References
BDU:2025-14042
MEDIUM6.3

Уязвимость инструмента для запуска изолированных контейнеров runc, связанная с состоянием гонки, разрешающим отслеживание ссылок, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2025-11-12Modified: 2026-04-20
CVSS 3.xMEDIUM 6.3
CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
CVSS 2.0MEDIUM 4.9
CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:C/A:N
References
CVE-2025-31133
HIGH7.3

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Published: 2025-11-06Modified: 2025-12-03
CVSS 3.xHIGH 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS 4.0HIGH 7.3
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2025-52565
HIGH8.4

runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Published: 2025-11-06Modified: 2025-12-03
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CVSS 4.0HIGH 8.4
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2025-52881
HIGH7.3

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

Published: 2025-11-06Modified: 2025-12-03
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CVSS 4.0HIGH 7.3
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
GHSA-9493-h29p-rfm2
HIGH7.3

runc container escape via "masked path" abuse due to mount race conditions

Published: 2025-11-05Modified: 2025-11-18
CVSS 4.0HIGH 7.3
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References
GHSA-cgrx-mc8f-2prm
HIGH7.3

runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Published: 2025-11-05Modified: 2025-11-18
CVSS 4.0HIGH 7.3
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References
GHSA-qw9x-cqr3-wc7r
HIGH7.3

runc container escape with malicious config due to /dev/console mount and related races

Published: 2025-11-05Modified: 2025-11-18
CVSS 4.0HIGH 7.3
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References