v1.4.0-rc.3 · Tags · Debian Go Packaging Team / packages / runc

v1.4.0-rc.3
6c7d8ad6 · VERSION: release v1.4.0-rc.3 · Nov 05, 2025
runc v1.4.0-rc.3 -- "その日、人類は思い出した。"

This release contains fixes for three high-severity security
vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and
CVE-2025-52881). All three vulnerabilities ultimately allow (through
different methods) for full container breakouts by bypassing runc's
restrictions for writing to arbitrary /proc files.

Security:

* CVE-2025-31133 exploits an issue with how masked paths are implemented
  in runc. When masking files, runc will bind-mount the container's
  /dev/null inode on top of the file. However, if an attacker can
  replace /dev/null with a symlink to some other procfs file, runc will
  instead bind-mount the symlink target read-write. This issue affected
  all known runc versions.

  <https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2>

* CVE-2025-52565 is very similar in concept and application to
  CVE-2025-31133, except that it exploits a flaw in /dev/console
  bind-mounts. When creating the /dev/console bind-mount (to
  /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then
  runc will bind-mount the symlink target over /dev/console. This issue
  affected all versions of runc >= 1.0.0-rc3.

  <https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r>

* CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921,
  which was a flaw that allowed an attacker to trick runc into writing
  the LSM process labels for a container process into a dummy tmpfs file
  and thus not apply the correct LSM labels to the container process.
  The mitigation we applied for CVE-2019-19921 was fairly limited and
  effectively only caused runc to verify that when we write LSM labels
  that those labels are actual procfs files. This issue affects all
  known runc versions.

  <https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm>

Fixed:

 * Switched to (*CPUSet).Fill rather than our hacky optimisation when
   resetting the CPU affinity of runc. (#4926, #4927)
 * Correctly close child fds during (*setns).start if an error occurs.
   (#4930, #4936)

Thanks to the following contributors for making this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Lei Wang <ssst0n3@gmail.com>
 * Li Fubang <lifubang@acmcoder.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Tõnis Tiigi <tonistiigi@gmail.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>