Fluid Attacks Database

Description

runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting /dev/pts/$n to /dev/console inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of /dev/pts/$n to /dev/console as configured for all containers that allocate a console). This happens after pivot_root(2), so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of /proc/sysrq-trigger or /proc/sys/kernel/core_pattern (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	runc	=1.0.0+ds1-1 \|\| =1.0.0~rc93+ds1-5 \|\| =1.0.0~rc93+ds1-5+deb11u1 \|\| =1.0.0~rc93+ds1-5+deb11u2 \|\| =1.0.0~rc93+ds1-5+deb11u3 \|\| =1.0.0~rc93+ds1-5+deb11u4 \|\| =1.0.0~rc93+ds1-5+deb11u5 \|\| =1.0.0~rc93.144.g6538f9f2+ds1-1 \|\| =1.0.0~rc94+ds1-1 \|\| =1.0.0~rc94+ds1-2 \|\| =1.0.0~rc95.86.g2f8e8e9d+ds1-1 \|\| =1.0.1+ds1-1 \|\| =1.0.1+ds1-2 \|\| =1.0.2+ds1-1 \|\| =1.0.2+ds1-2 \|\| =1.0.3+ds1-1 \|\| =1.1.0+ds1-1 \|\| =1.1.0~rc.1+ds1-1 \|\| =1.1.1+ds1-1 \|\| =1.1.10+ds1-1 \|\| =1.1.12+ds1-1 \|\| =1.1.12+ds1-2 \|\| =1.1.12+ds1-3 \|\| =1.1.12+ds1-4 \|\| =1.1.12+ds1-5 \|\| =1.1.12+ds1-5.1 \|\| =1.1.15+ds1-1 \|\| =1.1.15+ds1-2 \|\| =1.1.3+ds1-1 \|\| =1.1.3+ds1-2 \|\| =1.1.3+ds1-3 \|\| =1.1.3+ds1-4 \|\| =1.1.3+ds1-5 \|\| =1.1.3+ds1-6 \|\| =1.1.3+ds1-7 \|\| =1.1.4+ds1-1 \|\| =1.1.5+ds1-1 \|\| =1.1.5+ds1-2 \|\| =1.1.5+ds1-3 \|\| =1.1.5+ds1-4 \|\| =1.1.5+ds1-5 \|\| =1.3.0+ds1-1 \|\| =1.3.0+ds1-2 \|\| =1.3.0+ds1-3 \|\| =1.3.0+ds1-4 \|\| =1.3.2+ds1-1 \|\| =1.3.3+ds1-1 \|\| =1.3.3+ds1-2 \|\| =1.3.3+ds1-3 \|\| =1.3.5+ds1-1	-
debian 12	runc	=1.1.10+ds1-1 \|\| =1.1.12+ds1-1 \|\| =1.1.12+ds1-2 \|\| =1.1.12+ds1-3 \|\| =1.1.12+ds1-4 \|\| =1.1.12+ds1-5 \|\| =1.1.12+ds1-5.1 \|\| =1.1.15+ds1-1 \|\| =1.1.15+ds1-2 \|\| =1.1.5+ds1-1 \|\| =1.1.5+ds1-1+deb12u1 \|\| =1.1.5+ds1-2 \|\| =1.1.5+ds1-3 \|\| =1.1.5+ds1-4 \|\| =1.1.5+ds1-5 \|\| =1.3.0+ds1-1 \|\| =1.3.0+ds1-2 \|\| =1.3.0+ds1-3 \|\| =1.3.0+ds1-4 \|\| =1.3.2+ds1-1 \|\| =1.3.3+ds1-1 \|\| =1.3.3+ds1-2 \|\| =1.3.3+ds1-3 \|\| =1.3.5+ds1-1	-
debian 13	runc	=1.1.15+ds1-2 \|\| =1.3.0+ds1-1 \|\| =1.3.0+ds1-2 \|\| =1.3.0+ds1-3 \|\| =1.3.0+ds1-4 \|\| =1.3.2+ds1-1 \|\| =1.3.3+ds1-1 \|\| =1.3.3+ds1-2 \|\| =1.3.3+ds1-3 \|\| =1.3.5+ds1-1	-
debian 14	runc	=1.1.15+ds1-2 \|\| =1.3.0+ds1-1 \|\| =1.3.0+ds1-2 \|\| =1.3.0+ds1-3 \|\| =1.3.0+ds1-4 \|\| =1.3.2+ds1-1 \|\| =1.3.3+ds1-1 \|\| >=0 <1.3.3+ds1-2	1.3.3+ds1-2
go	github.com/opencontainers/runc	>=1.0.0-rc3 <1.2.8 \|\| >=1.3.0-rc.1 <1.3.3 \|\| >=1.4.0-rc.1 <1.4.0-rc.3	1.2.8, 1.3.3, 1.4.0-rc.3
rpm rhel9.4	runc	<4:1.2.9-1.el9_4	4:1.2.9-1.el9_4
rpm rhel9	runc	<4:1.2.5-3.el9_6 \|\| >=4:1.3.0, <4:1.3.0-4.el9_7	4:1.3.0-4.el9_7

Aliases

1. CVE-2025-525652. NVD-2025-525653. OSV-DEBIAN-2025-525654. OSV-2025-525655. GHSA-qw9x-cqr3-wc7r6. GCVE-2025-525657. SECURITY-TRACKER-CVE-2025-52565

References

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.