Fluid Attacks Database

Description

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	runc	=1.0.0+ds1-1 \|\| =1.0.0~rc93+ds1-5 \|\| =1.0.0~rc93+ds1-5+deb11u1 \|\| =1.0.0~rc93+ds1-5+deb11u2 \|\| =1.0.0~rc93+ds1-5+deb11u3 \|\| =1.0.0~rc93+ds1-5+deb11u4 \|\| =1.0.0~rc93+ds1-5+deb11u5 \|\| =1.0.0~rc93.144.g6538f9f2+ds1-1 \|\| =1.0.0~rc94+ds1-1 \|\| =1.0.0~rc94+ds1-2 \|\| =1.0.0~rc95.86.g2f8e8e9d+ds1-1 \|\| =1.0.1+ds1-1 \|\| =1.0.1+ds1-2 \|\| =1.0.2+ds1-1 \|\| =1.0.2+ds1-2 \|\| =1.0.3+ds1-1 \|\| =1.1.0+ds1-1 \|\| =1.1.0~rc.1+ds1-1 \|\| =1.1.1+ds1-1 \|\| =1.1.10+ds1-1 \|\| =1.1.12+ds1-1 \|\| =1.1.12+ds1-2 \|\| =1.1.12+ds1-3 \|\| =1.1.12+ds1-4 \|\| =1.1.12+ds1-5 \|\| =1.1.12+ds1-5.1 \|\| =1.1.15+ds1-1 \|\| =1.1.15+ds1-2 \|\| =1.1.3+ds1-1 \|\| =1.1.3+ds1-2 \|\| =1.1.3+ds1-3 \|\| =1.1.3+ds1-4 \|\| =1.1.3+ds1-5 \|\| =1.1.3+ds1-6 \|\| =1.1.3+ds1-7 \|\| =1.1.4+ds1-1 \|\| =1.1.5+ds1-1 \|\| =1.1.5+ds1-2 \|\| =1.1.5+ds1-3 \|\| =1.1.5+ds1-4 \|\| =1.1.5+ds1-5 \|\| =1.3.0+ds1-1 \|\| =1.3.0+ds1-2 \|\| =1.3.0+ds1-3 \|\| =1.3.0+ds1-4 \|\| =1.3.2+ds1-1 \|\| =1.3.3+ds1-1 \|\| =1.3.3+ds1-2 \|\| =1.3.3+ds1-3 \|\| =1.3.5+ds1-1	-
debian 12	runc	=1.1.10+ds1-1 \|\| =1.1.12+ds1-1 \|\| =1.1.12+ds1-2 \|\| =1.1.12+ds1-3 \|\| =1.1.12+ds1-4 \|\| =1.1.12+ds1-5 \|\| =1.1.12+ds1-5.1 \|\| =1.1.15+ds1-1 \|\| =1.1.15+ds1-2 \|\| =1.1.5+ds1-1 \|\| =1.1.5+ds1-1+deb12u1 \|\| =1.1.5+ds1-2 \|\| =1.1.5+ds1-3 \|\| =1.1.5+ds1-4 \|\| =1.1.5+ds1-5 \|\| =1.3.0+ds1-1 \|\| =1.3.0+ds1-2 \|\| =1.3.0+ds1-3 \|\| =1.3.0+ds1-4 \|\| =1.3.2+ds1-1 \|\| =1.3.3+ds1-1 \|\| =1.3.3+ds1-2 \|\| =1.3.3+ds1-3 \|\| =1.3.5+ds1-1	-
debian 13	runc	=1.1.15+ds1-2 \|\| =1.3.0+ds1-1 \|\| =1.3.0+ds1-2 \|\| =1.3.0+ds1-3 \|\| =1.3.0+ds1-4 \|\| =1.3.2+ds1-1 \|\| =1.3.3+ds1-1 \|\| =1.3.3+ds1-2 \|\| =1.3.3+ds1-3 \|\| =1.3.5+ds1-1	-
debian 14	runc	=1.1.15+ds1-2 \|\| =1.3.0+ds1-1 \|\| =1.3.0+ds1-2 \|\| =1.3.0+ds1-3 \|\| =1.3.0+ds1-4 \|\| =1.3.2+ds1-1 \|\| =1.3.3+ds1-1 \|\| >=0 <1.3.3+ds1-2	1.3.3+ds1-2
go	github.com/opencontainers/runc	>=0 <1.2.8 \|\| >=1.3.0-rc.1 <1.3.3 \|\| >=1.4.0-rc.1 <1.4.0-rc.3	1.2.8, 1.3.3, 1.4.0-rc.3
rpm rhel9	runc	<4:1.2.5-3.el9_6 \|\| >=4:1.3.0, <4:1.3.0-4.el9_7	4:1.3.0-4.el9_7
rpm rhel9.4	runc	<4:1.2.9-1.el9_4	4:1.2.9-1.el9_4

Aliases

1. CVE-2025-311332. NVD-2025-311333. OSV-DEBIAN-2025-311334. OSV-2025-311335. GHSA-9493-h29p-rfm26. GCVE-2025-311337. SECURITY-TRACKER-CVE-2025-31133

References

1. https://github.com/sahar042/CVE-2025-311332. https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm23. https://github.com/opencontainers/runc/commit/1a30a8f3d921acbbb6a4bb7e99da2c05f8d485224. https://github.com/opencontainers/runc/commit/5d7b2424072449872d1cd0c937f2ca25f418eb665. https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f6. https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.