:docker: Three dangerous runC Flaws could allow Threat Actors to escape Docker Containers.
Researchers at cloud security company Sysdig note that exploiting the three vulnerabilities "require the ability to start containers with custom mount configurations," which an attacker can achieve through malicious container images or Dockerfiles.
http://www.sysdig.com/blog/runc-container-escape-vulnerabilities
#runC #it #security #privacy #engineer #media #secure #programming #tech #developer #news
![👾The security issues, were reported and disclosed by SUSE software engineer and Open Container Initiative [OCI] board member Aleksa Sarai.👾
<https://seclists.org/oss-sec/2025/q4/138>
• CVE-2025-31133 — runC uses /dev/null bind-mounts to “mask” sensitive host files. If an attacker replaces /dev/null with a symlink during container init, runc can end up bind-mounting an attacker-controlled target read-write into the container — enabling writes to /proc, and container escape.
<https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2>
• CVE-2025-52565 — The /dev/console bind mount can be redirected via races/symlinks so that runc mounts an unexpected target into the container before protections are applied. That again can expose writable access to critical procfs entries and enable breakouts.
<https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r>
• CVE-2025-52881 — runC can be tricked into performing writes to /proc that are redirected to attacker-controlled targets. It can bypass LSM relabel protections in some variants and turns ordinary runc writes into arbitrary writes to dangerous files like /proc/sysrq-trigger.
<https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm>
⁉️CVE-2025-31133 and CVE-2025-52881 affect all versions of runC, while CVE-2025-52565 impacts runC versions 1.0.0-rc3 and later. Fixes are available in runC versions 1.2.8, 1.3.3, 1.4.0-rc.3, and later.⁉️](https://files.mastodon.social/cache/media_attachments/files/115/622/218/860/224/448/original/7238dd1239363489.jpeg)
#POSIX mandates creating files through dangling symbolic links which opens the door for attack vectors which are still relevant today as we see from the #runc breaks where the attacker can plant a dangling symlink at /dev/{null,console} to create trouble. As of 3.45.0, #sydbox implies O_NOFOLLOW at open(2) boundary for O_CREAT unless O_EXCL was also passed. The mitigation can be disabled with the option "trace/allow_unsafe_create:1". See 2nd paragraph: https://man.exherbo.org/syd.7.html#Trusted_File_Creation #linux #security
Alert: Three critical runC vulnerabilities (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) enable mount/symlink-based escapes that may redirect writes to /proc or other host targets. A successful exploit requires container start privileges via crafted mounts or malicious images/Dockerfiles. Patches: runC 1.2.8 / 1.3.3 / 1.4.0-rc.3+.
Detection & mitigation guidance:
• Patch runC immediately.
• Deploy rootless containers and enable user namespaces without host root mapping.
• Monitor for rapid symlink creation, unexpected bind mounts of /dev/null or /dev/console, and anomalous writes to procfs entries (e.g., /proc/sysrq-trigger).
• Harden CI/CD image provenance checks and disallow unverified custom mount configurations.
Share any YARA/OSQuery/Suricata rules you’ve validated — let’s collate detection patterns. Follow TechNadu for vetted technical advisories.
#containersecurity #runC #CVE #Kubernetes #Docker #threathunting #DFIR #DevSecOps
📰 Critical Container Escape Flaws in runC Threaten Docker & Kubernetes
🚨 CRITICAL VULNERABILITY: Three new flaws in runC, the core runtime for Docker & Kubernetes, allow for container escape. Attackers could gain host access. This is a major threat to cloud environments. Patch immediately! #runC #Docker #Kubernetes
It's been a bit light on news over the last 24 hours, but we've got a couple of important updates: a widespread phishing scam targeting lost iPhone users and critical container escape vulnerabilities in runC. Let's dive in:
Lost iPhone Phishing Scam ⚠️
- The Swiss National Cyber Security Centre (NCSC) is warning iPhone users about a sophisticated phishing scam.
- Scammers are using information from a lost device's lock screen message (model, colour, contact details) to send convincing SMS or iMessage texts, claiming the phone has been found.
- The goal is to trick victims into entering their Apple ID credentials on a fake "Find My" website, allowing attackers to disable Activation Lock and potentially resell the device. Always ignore unsolicited messages and never click links; Apple will not contact you via SMS or email about a found device.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/lost-iphone-dont-fall-for-phishing-texts-saying-it-was-found/
Dangerous runC Container Escape Flaws 🛡️
- Three new vulnerabilities (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) have been disclosed in runC, the container runtime used by Docker and Kubernetes.
- These flaws could allow an attacker to bypass container isolation and gain root-level write access to the underlying host system, primarily by exploiting issues with bind-mounts and /proc redirection.
- While exploitation requires the ability to start containers with custom mount configurations, organisations should update to runC versions 1.2.8, 1.3.3, 1.4.0-rc.3 or later, activate user namespaces, and consider using rootless containers as mitigation.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/dangerous-runc-flaws-could-allow-hackers-to-escape-docker-containers/
#CyberSecurity #ThreatIntelligence #Phishing #SocialEngineering #AppleID #Vulnerability #runC #ContainerSecurity #Docker #Kubernetes #InfoSec #CyberAttack #IncidentResponse
#Kubernetes: Newly disclosed #vulnerabilities in the #runC container runtime used in #Docker & Kubernetes (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) could be exploited to bypass isolation restrictions & get access to the host system (escape):
#k8s
Runc breaks pods when CPU requests aren't multiples of 10
https://github.com/opencontainers/runc/issues/4982
#HackerNews #Runc #CPU #issues #Kubernetes #Pods #Multiples #of #10 #Containerization
Внутреннее устройство Docker. Заглянем под капот
Сначала были физические серверы - дорогие и неэффективные. Затем пришли виртуальные машины , которые позволили запускать несколько изолированных ОС на одном железе. Но цена изоляции оставалась высокой: полная копия ОС, гигабайты диска, минуты на запуск. Контейнеры - следующий шаг эволюции. Зачем виртуализировать целое железо и запускать полноценную ОС, если можно изолировать только сам процесс , используя встроенные механизмы ядра? Этот подход на порядок легче, быстрее и эффективнее.
https://habr.com/ru/articles/963702/
#docker #containerd #runc #linux #containers #container #контейнеризация #докер #devops #линукс
If you use runc for your underlying container runtime (the default in many environments including Docker and many Kubernetes installs), there's a security update that just came out today. https://github.com/opencontainers/runc/releases/tag/v1.3.3
#runc #docker #kubernetes #containers
Symlinks strike again! This time with 3 #container breakouts in #runc. Other runtimes including #youki and #crun are also affected. #sydbox' syd-oci is also affected which is based on #youki. Expect updates soon: https://www.openwall.com/lists/oss-security/2025/11/05/3 #exherbo #linux #security #podman
How #Container Filesystem Works: Building a #Docker like Container From Scratch
https://labs.iximiuz.com/tutorials/container-filesystem-from-scratch
Docker изнутри: исчерпывающее руководство. Механизмы контейнеризации + примеры, эксперименты и реализация
Docker — не магия, а грамотное применение механизмов Linux. Разбираем инструмент, который пугает своей сложностью не меньше блокчейна. Показываем на пальцах как работают: Namespaces, Cgroups, OverlayFS – основные компоненты любого контейнера, и как стандарт OCI объединяет их в единую экосистему. Об этом и не только в статье.
https://habr.com/ru/articles/935178/
#docker #контейнеризация #namespaces #cgroups #linux_kernel #виртуализация #runc #golang #linux
