CVE-2025-52881
Privilege Escalation vulnerability in runc (Go)
What is CVE-2025-52881 About?
This Privilege Escalation vulnerability in runc allows attackers to trick runc into misdirecting writes to `/proc` files, potentially leading to container escape or host system compromise. It's a complex race condition involving shared mounts that allows for arbitrary write gadgets. Exploitation requires specific conditions and can be difficult to achieve reliably.
Affected Software
- github.com/opencontainers/runc
- <1.2.8
- >1.3.0-rc.1, <1.3.3
- >1.4.0-rc.1, <1.4.0-rc.3
- github.com/opencontainers/selinux
- <=1.12.0
Technical Details
The vulnerability is a sophisticated race condition in runc where an attacker can trick runc into misdirecting writes intended for /proc filesystem files. This is achieved through the use of racing containers with shared mounts, allowing the attacker to manipulate symbolic links or bind-mounts within a tmpfs to redirect a write operation from a benign /proc/self/attr/<label> or /proc/sys/... path to an arbitrary, more dangerous location like /proc/sysrq-trigger or /proc/sys/kernel/core_pattern. This can bypass LSM labels, trigger host kernel panics, or lead to container escape by leveraging kernel upcalls that run with host root privileges.
What is the Impact of CVE-2025-52881?
Successful exploitation may allow attackers to achieve container escape, execute arbitrary code on the host system with root privileges, bypass security measures like LSM policies, or cause a denial of service on the host.
What is the Exploitability of CVE-2025-52881?
Exploiting this vulnerability is complex, requiring precise timing and manipulation of container execution. Prerequisites include the ability to create and run containers with shared mounts, which can be done using tools like docker buildx build. No direct authentication to the host is required once container creation is possible. Privilege escalation is the ultimate goal, as the misdirected writes can affect host-level /proc files. Remote exploitation is possible if an attacker can provision containers. The attack relies on a race condition, making reliable exploitation challenging but not impossible given specific setups.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-52881?
Available Upgrade Options
- github.com/opencontainers/runc
- <1.2.8 → Upgrade to 1.2.8
- github.com/opencontainers/runc
- >1.3.0-rc.1, <1.3.3 → Upgrade to 1.3.3
- github.com/opencontainers/runc
- >1.4.0-rc.1, <1.4.0-rc.3 → Upgrade to 1.4.0-rc.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58
- https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d
- https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64
- https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165
- https://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3
- https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f
- https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557
- https://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322
- https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs
- https://osv.dev/vulnerability/GHSA-cgrx-mc8f-2prm
What are Similar Vulnerabilities to CVE-2025-52881?
Similar Vulnerabilities: CVE-2019-19921 , CVE-2025-31133 , CVE-2021-41190 , CVE-2023-38545 , CVE-2021-30465
