Skip to main content

runc CVE-2026-41579

| EUVDEUVD-2026-40859 LOW
UNIX Symbolic Link (Symlink) Following (CWE-61)
3.3
CVSS 3.1 · Vendor

Severity by source

Vendor (CNA) PRIMARY
3.3 LOW
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.7 MEDIUM

Malicious image delivered over network; no privileges required to craft it; operator must execute it (UI:R); crosses container-to-host boundary (S:C); limited integrity impact only, no confidentiality or availability impact described.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
SUSE
LOW
qualitative

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
CVSS changed
Jul 01, 2026 - 02:22 NVD
3.3 (LOW)
Analysis Generated
Jun 13, 2026 - 20:46 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Host filesystem integrity violations in runc are triggered when the container runtime processes a malicious OCI image where /dev is configured as a symbolic link rather than a directory. An attacker who can deliver such a crafted image - via a public registry, a supply-chain-compromised base image, or a shared CI/CD pipeline - can cause runc to follow the symlink during container device-node initialization, resulting in limited, unintended write operations on the host filesystem outside the container boundary. The vendor-credited reporter (Aleksa Sarai, a known runc maintainer) describes the impact as 'limited host filesystem integrity violations,' falling short of a full container escape. No public exploit has been identified at time of analysis.

Technical ContextAI

runc is the reference OCI container runtime underpinning Docker Engine, containerd, CRI-O, Podman, and Kubernetes container execution across virtually all major platforms. During container initialization, runc processes the image's root filesystem bundle, including population of the /dev subtree with device nodes and bind mounts. If the image presents /dev as a symbolic link rather than a real directory, runc's path-resolution logic may follow that symlink during /dev setup operations, causing filesystem writes to resolve against an attacker-controlled path on the host. This is a symlink-following / path traversal class of flaw - historically recurring in runc (cf. CVE-2019-5736, CVE-2021-30465) - most likely corresponding to CWE-61 (UNIX Symbolic Link Following) or CWE-22 (Improper Limitation of a Pathname). No CWE has been officially assigned as of the pre-NVD disclosure. CPE identifiers and exact affected version ranges are not yet published.

RemediationAI

No vendor-released patch version has been independently confirmed at time of analysis. Operators should monitor the oss-security thread (https://www.openwall.com/lists/oss-security/2026/06/13) and the runc GitHub releases page for a security release and apply it immediately upon availability. As a compensating control, enforcing container image provenance and integrity verification - such as sigstore/cosign signatures or Notary/TUF policies - prevents untrusted or tampered images from reaching runc, directly blocking the delivery vector; the trade-off is added pipeline complexity and key management overhead. Restricting which users, service accounts, and systems are permitted to pull and execute arbitrary images in multi-tenant environments limits the attacker's ability to introduce a malicious image. Applying seccomp profiles and AppArmor/SELinux policies that restrict unexpected host filesystem writes can reduce the impact of exploitation even if a malicious image is run; these policies may require tuning to avoid breaking legitimate container workloads. Read-only root filesystem enforcement (where operationally feasible) limits the runtime's ability to write outside expected paths.

More in Runc

View all
CVE-2024-21626 HIGH POC
8.6

Alpine Linux: runc fixed in 1.1.12-r0

CVE-2025-52565 HIGH POC
8.4 Nov 06

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 8.4

CVE-2019-16884 HIGH POC
7.5 Sep 25

runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass beca

CVE-2025-52881 HIGH POC
7.3 Nov 06

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3

CVE-2025-31133 HIGH POC
7.3 Nov 06

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3

CVE-2023-27561 HIGH POC
7.0 Mar 03

runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linu

CVE-2023-25809 MEDIUM POC
6.3 Mar 29

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated medium severity (CVSS 6

CVE-2021-43784 MEDIUM POC
5.0 Dec 06

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. Rated medium severit

CVE-2021-30465 HIGH
8.5 May 27

runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. Rated high severity (CVSS 8.5), t

CVE-2016-3697 HIGH
7.8 Jun 01

libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a po

CVE-2023-28642 HIGH
7.8 Mar 29

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.8

CVE-2022-29162 HIGH
7.8 May 17

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. Rated high severity

Vendor StatusVendor

Debian

runc
Release Status Fixed Version Urgency
bullseye vulnerable 1.0.0~rc93+ds1-5+deb11u5 -
bullseye (security) vulnerable 1.0.0~rc93+ds1-5+deb11u3 -
bookworm, bookworm (security) vulnerable 1.1.5+ds1-1+deb12u1 -
trixie vulnerable 1.1.15+ds1-2 -
forky, sid vulnerable 1.3.5+ds1-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Low
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected
SLES15-SP6-CHOST-BYOS-EC2 Affected

Share

CVE-2026-41579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy