Bulletin ID: AWS-2025-024** Scope: AWS Content Type:** Important (requires attention) Publication Date: 2025/11/5 8:45 AM PDT
CVE Identifiers: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881
AWS is aware of recently disclosed security issues affecting the runc component of several open source container management systems (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) when launching new containers. AWS does not consider containers a security boundary, and does not utilize containers to isolate customers from each other. There is no cross-customer risk from these issues. AWS customers that utilize containers to isolate workloads within their own self-managed environments are strongly encouraged to contact their operating system vendor for any updates or instructions…
Bulletin ID: AWS-2025-024** Scope: AWS Content Type:** Important (requires attention) Publication Date: 2025/11/5 8:45 AM PDT
CVE Identifiers: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881
AWS is aware of recently disclosed security issues affecting the runc component of several open source container management systems (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) when launching new containers. AWS does not consider containers a security boundary, and does not utilize containers to isolate customers from each other. There is no cross-customer risk from these issues. AWS customers that utilize containers to isolate workloads within their own self-managed environments are strongly encouraged to contact their operating system vendor for any updates or instructions necessary to mitigate any potential concerns arising from these issues.
With the exception of the AWS services listed below, no customer action is required to address this issue. As a best practice, AWS always recommends that you apply all security patches and software version updates.
Amazon Linux
An updated version of runc will be available for Amazon Linux 2 (runc-1.3.2-2.amzn2) and for Amazon Linux 2023 (runc-1.3.2-2.amzn2023.0.1). AWS recommends that customers using Amazon Linux 2 or Amazon Linux 2023 update their version of runc to at least 1.3.2-2. Further information is available in the Amazon Linux Security Center.
Bottlerocket
An updated version of runc is included in Bottlerocket 1.50.0, which will be released on November 5, 2025. AWS recommends that customers using Bottlerocket apply this update. Further information will be posted in the Bottlerocket Release Notes.
Amazon Elastic Container Service (ECS)
Amazon ECS will release an updated version of Amazon ECS-Optimized Amazon Machine Images (AMIs) on November 5, 2025 (version 20251031). This updated version includes a new runc version (version 1.3.2-2). We recommend customers using ECS on EC2 instances to either update to these latest AMIs or perform a “yum update -security” to obtain the security patches. For more information, please refer to the Amazon ECS-optimized AMI user guide.
Amazon ECS Fargate will automatically include an updated version of runc in all Fargate tasks launched after November 5, 2025. Customers do not need to take any action.
Amazon ECS Managed Instances will release new AMIs on November 5, 2025, with an updated version of runc. ECS will prevent new tasks from landing on existing container instances. Instead, all new tasks will be placed on new container instances that will use the new AMIs with the updated runc version. Customers do not need to take any action.
Amazon Elastic Kubernetes Service (EKS)
Amazon EKS will release updated EKS Auto Mode AMIs with a patched container runtime on November 5, 2025. Auto Mode NodePools set to default drift settings will automatically begin updating to the patched AMI version. Nodes with node disruption controls in place, will update to the patched version within 21 days of their initial launch. To update your nodes right away, you can delete them to force an immediate replacement. Customers can verify that Nodes are running a patched AMI by running kubectl get node -o wide and inspecting the “OS Image” field. Nodes which are patched will have a date of 2025.11.01 or later (e.g. Bottlerocket (EKS Auto, Standard) 2025.11.01 (aws-k8s-1.34-standard)).
Amazon EKS will release updated EKS-optimized AL2/AL2023 Amazon Machine Images (AMIs) version v20251103 with the patched container runtime on November 5, 2025. The EKS Bottlerocket AMI 1.50.0 also contains the patched container runtime. Customers using Managed node groups can upgrade their node groups by referring to the EKS documentation. Customers using Karpenter can update their nodes by following the documentation on drift or AMI selection. Customers using self-managing worker nodes can replace existing nodes by referring to the EKS documentation.
Amazon EKS Fargate will make an update available for new pods on new or existing clusters on November 5, 2025. Customers must delete existing Amazon EKS Fargate pods to use the patched runtime. Customers can verify their nodes are patched with Kubelet version ending in eks-3cfe0ce by running kubectl get nodes. Please refer to the Getting started with AWS Fargate using Amazon EKS documentation for information on deleting and creating Fargate pods.
Amazon EKS Anywhere will release updated versions v0.24.0 and 0.23.5 with the patched runc (version 1.3.2-2) on November 6, 2025. Customers can refer to the EKS Anywhere Upgrade cluster documentation on how to upgrade clusters to use patched virtual machine images.
AWS Elastic Beanstalk
Updated AWS Elastic Beanstalk Docker and ECS-based platform versions will be available on November 5, 2025. Customers using Managed Platform Updates will be automatically updated to the latest platform version in their selected maintenance window with no action required. Customers can also update immediately by going to the Managed Updates configuration page and clicking on the “Apply now” button. Customers who have not enabled Managed Platform Updates can update their environment’s platform version by following instructions in the documentation.
Finch
An updated version of runc will be available for Finch for macOS and Windows platforms on November 5, 2025 in the latest release, v1.13.0. Customers should upgrade their Finch installation on macOS and Windows to address this issue. Finch releases can be downloaded through the project’s GitHub release page or by running “brew update” if you installed Finch via Homebrew. Once updated, the virtual machine needs to be re-initialized by removal and new initialization (init) of the virtual machine.
AWS Deep Learning AMI
Updated Amazon Linux 2 and Amazon Linux 2023 Deep Learning AMIs will be available on November 5, 2025. Customers should update to the latest AMI version when available.
AWS Batch
As a general security best practice we recommend that Batch customers replace their existing Compute Environments with the latest AMI after it is available. Instructions for replacing the Compute Environment are available in the Batch product documentation. An updated Amazon ECS and EKS Optimized AMI will be available November 12, 2025 as the default Compute Environment AMI.
Batch customers who do not use the default AMI should contact their operating system vendor for the updates necessary to address these issues. Instructions for Batch custom AMI are available in the Batch product documentation.
Amazon SageMaker
Any SageMaker resources created or restarted after November 7, 2025 will automatically include the patched version of runc. This includes SageMaker Notebook Instances, SageMaker Training Jobs, SageMaker Processing Jobs, SageMaker Batch Transform Jobs, SageMaker Studio and SageMaker Inference. AWS will begin patching existing SageMaker resources created before November 7, 2025 once the AWS Deep Learning AMI and Amazon Linux AMIs become available.
Please email aws-security@amazon.com with any security questions or concerns.