CVE-2025-52881

Aliases:GHSA-cgrx-mc8f-2prmGO-2025-4098

Advisory lineage Upstream: 0 Downstream: 68

Downstream

DEBIAN-CVE-2025-52881 MGASA-2025-0271 OPENSUSE-SU-2025:15705-1 OPENSUSE-SU-2025:15721-1 OPENSUSE-SU-2025:15843-1 OPENSUSE-SU-2025:15845-1

Analyzed

Published: 06 Nov 2025, 20:23

Last modified:06 Nov 2025, 21:07

Vulnerability Summary

Overall Risk (default)

medium

40/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.02% LOW

0% probability -0.02%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

06 Nov 2025, 20:23

Published

Vulnerability first disclosed

06 Nov 2025, 21:07

Last Modified

Vulnerability information updated

Description

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

CVSS Metrics

v4.0•HIGH•Score: 7.3CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
v4.0•HIGH•Score: 7.3CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
v3.1•HIGH•Score: 7.5CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.02%• Percentile: 4%

Techniques & Countermeasures

CWE-61•UNIX Symbolic Link (Symlink) Following
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-363•Race Condition Enabling Link Following
The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.

Affected Systems

github.com/opencontainers•runc
< 1.2.8 | ≥ 1.3.0-rc.1, < 1.3.3 | ≥ 1.4.0-rc.1, < 1.4.0-rc.3
github.com/opencontainers•selinux
< 1.13.0
linuxfoundation•runc
< 1.2.8 | ≥ 1.3.0, < 1.3.3 | 1.4.0:rc1 | 1.4.0:rc2
opencontainers•runc
< 1.2.8 | < 1.3.3 | < 1.4.0-rc.3