CVE-2025-52565
Denial of Service vulnerability in runc (Go)

Denial of Service No known exploit Fixable By Resolved Security

What is CVE-2025-52565 About?

This is a denial of service vulnerability with potential for container breakout in runc, due to insufficient checks during a bind-mount operation. An attacker can trick runc into writing to sensitive host paths, causing service disruption or compromising the host. Exploiting this vulnerability would require significant technical understanding of container internals.

Affected Software

  • github.com/opencontainers/runc
    • >1.3.0-rc.1, <1.3.3
    • >1.4.0-rc.1, <1.4.0-rc.3
    • >1.0.0-rc3, <1.2.8

Technical Details

The vulnerability in runc version 1.0.0-rc3 and later arises from insufficient checks during the bind-mounting of /dev/pts/$n to /dev/console for containers that allocate a console. This bind-mount occurs after pivot_root(2) but before maskedPaths and readonlyPaths are applied. An attacker inside a container can exploit this window to trick runc into bind-mounting a path that would normally be read-only or masked onto a writable location within the container. This grants write access to sensitive host files, such as /proc/sysrq-trigger (for host DoS) or /proc/sys/kernel/core_pattern (for container breakout). Additionally, related theoretical issues include problematic usages of os.Create that could lead to truncating host files via symlink attacks and malicious /dev/pts/$n inode attacks (TIOCGPTPEER) involving race conditions or inode manipulation during pseudo-terminal allocation.

What is the Impact of CVE-2025-52565?

Successful exploitation may allow attackers to cause a denial of service on the host system or achieve a container breakout, leading to full host compromise and sensitive data exposure.

What is the Exploitability of CVE-2025-52565?

Exploitation of this vulnerability requires an attacker to be inside a container that allocates a console. The attack is local to the container environment. No specific authentication beyond being able to run code within a container is mentioned. The complexity is very high, demanding an in-depth understanding of Linux kernel primitives, container runtime internals, and race condition exploitation. The attacker must carefully time or craft actions to leverage the short window between the bind-mount and the application of security restrictions. Prerequisites include the ability to execute commands within a container. Risk factors are significantly mitigated by using user namespaces, avoiding running containers with root privileges, and the default containers-selinux policy (though this can be bypassed by related vulnerabilities). Rootless containers offer further protection. The issue's complexity and the layers of mitigation make exploitation challenging for a typical attacker.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2025-52565?

A Fix by Resolved Security Exists!
Learn how we backport CVE fixes to your open-source libraries effortlessly.

About the Fix from Resolved Security

None

Available Upgrade Options

  • github.com/opencontainers/runc
    • >1.0.0-rc3, <1.2.8 → Upgrade to 1.2.8
  • github.com/opencontainers/runc
    • >1.3.0-rc.1, <1.3.3 → Upgrade to 1.3.3
  • github.com/opencontainers/runc
    • >1.4.0-rc.1, <1.4.0-rc.3 → Upgrade to 1.4.0-rc.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-52565?

Similar Vulnerabilities: CVE-2025-31133 , CVE-2025-52881 , CVE-2024-21626 , CVE-2023-28642 , CVE-2021-30465

All Rights reserved 2025
Privacy Policy