Three newly disclosed high-severity bugs in the “runc” container runtime let attackers break out of containers despite standard hardening and isolation controls.

According to Aleksa Sarai, a senior software engineer at SUSE and an OCI board member, the bugs stem from logic flaws in how runc handles writes to certain procfs files, letting attackers inside containers hijack host privileges by abusing masked paths, console bind-mounts, and write gadgets.

“All these vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc’s restrictions for writing to arbitrary /proc files,” Sarai said in an advisory posted to the oss-sec list.

Sarai emphasized that while these attacks require custom mount configurations or untrusted images, the threat is very real for containerized systems, especially in orchestrators like Docker or Kubernetes.

The advisory urges users to update immediately to patched versions or apply the provided patches.

Masked-path issue: CVE-2025-31133

The first of the trio addresses a masked-path issue in runc where the container runtime replaces a file with a bind-mount to “/dev/null”, a data sink file on Unix-like systems. If an attacker can instead make /dev/null a symlink to a critical procfs file (e.g., /proc/sys/kernel/core_pattern or /proc/sysrq-trigger), runc inadvertently mounts that target read-write, granting the attacker host access.

On one variant, runc simply ignores a missing /dev/null and proceeds, which leads to information disclosure via masked files like “/proc/kcore” or “/proc/timer_list”, both sensitive kernel-visible interfaces.

Sarai warned that while the attack cannot mount arbitrary host files directly, the methods are sufficient to trigger full container breakout or host crash.

The flaw, tracked as CVE-2025-31133, affects all known runc versions and has received a severity rating of 7.3 out of 10. It has been fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

Console and Write-Gadget Lurkers: CVE-2025-52565 & CVE-2025-52881

The second vulnerability, tracked as CVE-2025-52565, targets “/dev/console” bind-mount handling. An attacker can replace the target path with a symlink, which will cause runc to bind-mount the wrong target, allowing the attacker to gain write access to procfs paths.

“As with CVE-2025-31133, this happens after pivot_root(2) and so cannot be used to bind-mount host files directly, but an attacker can trick runc into creating a read-write bind-mount of /proc/sys/kernel/core_pattern or /proc/sysrq-trigger, leading to a complete container breakout,” Sarai said, adding that versions 1.0.0-rc3 and later remain vulnerable.

The third flaw (CVE-2025-52881) allows an attacker to bypass Linux Security Modules (LSM) such as SELinux or AppArmor by redirecting writes to procfs files. Once the LSM labels are effectively neutered, writes to host-level procfs become possible, enabling full host compromise.

“Based on our analysis, neither AppArmor nor SELinux can protect against the full version of the redirected write attack,” Sarai said. “ The container runtime is generally privileged enough to write to arbitrary procfs files, which is more than sufficient to cause a container breakout.”

Using rootless containers can help, as doing so will block most of the inadvertent writes, Sarai added. Additional analysis from Sysdig confirmed that all three flaws require the ability to start containers with custom mount configurations, which can be easily achieved through untrusted container images and Dockerfiles. Exploitation of these flaws can be done by monitoring suspicious symlink behaviors, Sysdig said. For this, it has added detection rules for its Secure and Falco users.