An update for runc is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2820 Final 1.0 1.0 2025-12-12 Initial 2025-12-12 2025-12-12 openEuler SA Tool V1.0 2025-12-12 runc security update An update for runc is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2 runc is a CLI tool for spawning and running containers according to the OCI specification. Security Fix(es): runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.(CVE-2025-31133) runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.(CVE-2025-52565) runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.(CVE-2025-52881) An update for runc is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High runc https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2820 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-31133 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-52565 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-52881 https://nvd.nist.gov/vuln/detail/CVE-2025-31133 https://nvd.nist.gov/vuln/detail/CVE-2025-52565 https://nvd.nist.gov/vuln/detail/CVE-2025-52881 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 docker-runc-1.0.0.rc3-229.oe2003sp4.aarch64.rpm runc-1.1.3-34.oe2203sp3.aarch64.rpm runc-1.1.3-34.oe2203sp4.aarch64.rpm runc-1.1.8-26.oe2403.aarch64.rpm runc-1.1.8-27.oe2403sp1.aarch64.rpm runc-1.1.8-27.oe2403sp2.aarch64.rpm docker-runc-1.0.0.rc3-229.oe2003sp4.src.rpm runc-1.1.3-34.oe2203sp3.src.rpm runc-1.1.3-34.oe2203sp4.src.rpm runc-1.1.8-26.oe2403.src.rpm runc-1.1.8-27.oe2403sp1.src.rpm runc-1.1.8-27.oe2403sp2.src.rpm docker-runc-1.0.0.rc3-229.oe2003sp4.x86_64.rpm runc-1.1.3-34.oe2203sp3.x86_64.rpm runc-1.1.3-34.oe2203sp4.x86_64.rpm runc-1.1.8-26.oe2403.x86_64.rpm runc-1.1.8-27.oe2403sp1.x86_64.rpm runc-1.1.8-27.oe2403sp2.x86_64.rpm runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3. 2025-12-12 CVE-2025-31133 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 High 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H runc security update 2025-12-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2820 runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3. 2025-12-12 CVE-2025-52565 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 High 7.5 AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H runc security update 2025-12-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2820 runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3. 2025-12-12 CVE-2025-52881 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 High 7.5 AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H runc security update 2025-12-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2820