Skip to main content

Runc CVE-2025-31133

HIGH
UNIX Symbolic Link (Symlink) Following (CWE-61)
2025-11-06 security-advisories@github.com
Denial Of Service Information Disclosure Runc Red Hat Suse
7.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Red Hat
8.2 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
Patch released
Mar 28, 2026 - 19:20 nvd
Patch available
CVE Published
Nov 06, 2025 - 19:15 nvd
HIGH 7.3

DescriptionGitHub Advisory

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

AnalysisAI

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-61. runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3. Affected products include: Linuxfoundation Runc. Version information: through 1.3.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.99 Affected
Container suse/sl-micro/6.0/base-os-container:2.1.3-5.7 Image SL-Micro Affected
Container suse/sl-micro/6.0/toolbox:latest Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.29 Affected
Container suse/sl-micro/6.1/base-os-container:2.2.0-4.57 Affected

Share

CVE-2025-31133 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy