CVE-2025-52881
HIGHDescription
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.
Is your site exposed to CVE-2025-52881?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| linuxfoundation | runc |
| linuxfoundation | runc |
| linuxfoundation | runc |
| linuxfoundation | runc |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-52881? +
How severe is CVE-2025-52881? +
What products are affected by CVE-2025-52881? +
How do I check if I'm vulnerable to CVE-2025-52881? +
Related Vulnerabilities
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate …
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may …
Airlink's Daemon interfaces with Docker and the Panel to provide secure access for controlling instances via the Panel. In version …
Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user …
`zip` is a zip library for rust which supports reading and writing of simple ZIP files. In the archive extraction …
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if …