CVE-2025-52565
Essential information
- Published
- 06/11/2025 20:15
- Modified
- 03/12/2025 18:33
- Author
- —
- Creator
- —
- CVSS
- 8.4 HIGH (v3) 8.4 HIGH (v4.0)
- CISA KEV
- No
- CWE
- —
- CVSS vector
-
—
—
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Privileges required
- —
- User interaction
- —
- Scope
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- LOCAL
- Attack complexity
- LOW
- Attack requirements
- NONE
- Privileges required
- NONE
- User interaction
- PASSIVE
- Confidentiality (V)
- NONE
- Confidentiality (S)
- HIGH
- Integrity (V)
- HIGH
- Integrity (S)
- HIGH
- Availability (V)
- NONE
- Availability (S)
- HIGH
- Exploit maturity
- NOT_DEFINED
Description
runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
NVD status
- Status
- Analyzed — CVE has had analysis completed and all data associations made.
- Source
- [email protected]
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.0.0:rc7:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.0.0:rc8:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.0.0:rc9:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.0.0:rc90:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.0.0:rc91:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.0.0:rc92:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.0.0:rc93:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.0.0:rc94:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.0.0:rc95:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.4.0:rc1:*:*:*:*:*:* |
| linuxfoundation / runc | cpe:2.3:a:linuxfoundation:runc:1.4.0:rc2:*:*:*:*:*:* |