CVE-2025-31133
Arbitrary Mount Gadget vulnerability in runc (Go)

Arbitrary Mount Gadget No known exploit Fixable By Resolved Security

What is CVE-2025-31133 About?

This vulnerability in runc, when masking files using `/dev/null`, allows attackers to bypass security features or escalate privileges. This can lead to host denial of service, container escape, or information disclosure. Exploitation requires specific race conditions and shared mount configurations, making it moderately complex.

Affected Software

  • github.com/opencontainers/runc
    • <1.2.8
    • >1.3.0-rc.1, <1.3.3
    • >1.4.0-rc.1, <1.4.0-rc.3

Technical Details

The vulnerability arises from insufficient verification of the /dev/null inode when runc utilizes it to mask files via bind-mounts. An attacker can exploit a race condition during container creation or resource sharing (e.g., with docker buildx build) to replace or modify the /dev/null inode. By replacing /dev/null with a symlink to an attacker-controlled path, runc can be tricked into bind-mounting an arbitrary source to a path inside the container. This 'Arbitrary Mount Gadget' allows for several attacks: bind-mounting /proc/sysrq-trigger for a Host Denial of Service, or bind-mounting /proc/sys/kernel/core_pattern to reconfigure coredump helpers and achieve a Container Escape (as kernel upcalls are not namespaced). Additionally, a race condition allows deleting /dev/null before runc performs the bind-mount, silently bypassing maskedPaths and enabling Host Information Disclosure from sensitive /proc files.

What is the Impact of CVE-2025-31133?

Successful exploitation may allow attackers to trigger a kernel panic on the host, shut down the machine, freeze the machine without rebooting, reconfigure kernel coredump helpers for container escape and root privileges on the host, or access sensitive host information.

What is the Exploitability of CVE-2025-31133?

Exploitation requires the ability to spawn containers, with some control over their configuration, to trigger specific race conditions during the creation or modification of /dev/null within shared mount environments. This implies a moderate to high complexity level, as the attacker needs to orchestrate the timing of events. No prior authentication within the container is typically needed, as the vulnerability is in the runtime's handling of specific configurations. The attacks are local to the host where the container is running, but the initial vector could be remote if container creation is exposed. Prerequisites involve a system running vulnerable runc versions (1.1.x and earlier are unsupported, 1.2.8, 1.3.3, 1.4.0-rc.3 are patched) and an environment allowing for race conditions or manipulation of the /dev/null inode. Risk factors include shared mount configurations, the ability for users to create containers with custom configurations, and the absence of user namespaces.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2025-31133?

A Fix by Resolved Security Exists!
See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

None

Available Upgrade Options

  • github.com/opencontainers/runc
    • <1.2.8 → Upgrade to 1.2.8
  • github.com/opencontainers/runc
    • >1.3.0-rc.1, <1.3.3 → Upgrade to 1.3.3
  • github.com/opencontainers/runc
    • >1.4.0-rc.1, <1.4.0-rc.3 → Upgrade to 1.4.0-rc.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-31133?

Similar Vulnerabilities: CVE-2025-52881 , CVE-2025-52565 , CVE-2023-49007 , CVE-2023-28642 , CVE-2023-49003

All Rights reserved 2025
Privacy Policy