CVE Tools

CVE-2025-52881

runc: LSM labels can be bypassed with malicious config using dummy procfs files

Published: Nov 6, 2025Updated: Dec 3, 2025 Sources: CVE List NVD GHSA BDUCWE-61

Patch Available

Description

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

CVSS Vector Breakdown

Exploitability

AV:LAttack Vector

Local

AC:HAttack Complexity

High

PR:LPrivileges Required

Low

UI:RUser Interaction

Required

Scope

S:CScope

Changed

Impact

C:HConfidentiality

High

I:HIntegrity

High

A:HAvailability

High

Open in CVSS calculator →

Weaknesses

Affected Products

runc opencontainers

Mixed

Cloud & SaaS / container-orchestration

Red Hat Enterprise Linux Red Hat Inc.

On-premOS

Operating Systems / linux-distro

Debian GNU/Linux Сообщество свободного программного обеспечения

On-premOS

Operating Systems / linux-distro

РЕД ОС ООО «Ред Софт»

On-premOS

Operating Systems / linux-distro

Astra Linux Special Edition ООО «РусБИТех-Астра»

On-premOS

Operating Systems / linux-distro

opencontainersoss-projectCloud & SaaSaka oci, open containers

red hat inc.commercialUSOperating Systemsaka red hat

сообщество свободного программного обеспеченияoss-projectOperating Systemsaka сообщество свободного программного обеспечения, fsf

ооо «ред софт»commercialRUOperating Systemsaka red soft

ооо «русбитех-астра»commercialRUOperating Systemsaka rusbitech-astra

and 12 more affected products View all →

Exploitability

1 exploit source identified

Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.

View exploit details

Official Patch Available

Workaround Available

References

https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm

https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r

https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2

and 41 more references View all →

Timeline

Published

Nov 6, 2025

Last Updated

Dec 3, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-52881 and every CVE in our database. Create a free account — no credit card required.

Create Free Account

Plain-language analysis

Impact assessment and exploitation scenario in plain English

Attack graph visualization

Interactive attack path and kill chain mapping

Exploit details & PoC links

ExploitDB, Metasploit, GitHub PoCs with direct links

Nuclei scanner templates

Ready-to-use vulnerability scanner templates

Full remediation guide

Patch instructions, workarounds, and compliance impact

Interactive AI chat

Ask questions about this vulnerability in natural language

Related vulnerabilities

Semantically similar CVEs and attack patterns

REST API & MCP access

Integrate vulnerability data into your workflows