1. Home
  2. Vulnerabilities
  3. CVE-2025-52881
7.3
HIGH CVSS 4.0
CVE-2025-52881
runc: LSM labels can be bypassed with malicious config using dummy procfs files
Description

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

INFO

Published Date :

Nov. 6, 2025, 9:15 p.m.

Last Modified :

Nov. 6, 2025, 9:15 p.m.

Remotely Exploit :

No

Source :

[email protected]
Affected Products

The following products are affected by CVE-2025-52881 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 4.0 HIGH [email protected]
Solution
Update runc to a patched version to prevent misdirected writes.
  • Update runc to version 1.2.8 or later.
  • Update runc to version 1.3.3 or later.
  • Update runc to version 1.4.0-rc.3 or later.
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-52881.

URL Resource
http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322
http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3
https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md
https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557
https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d
https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58
https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6
https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f
https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544
https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db
https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28
https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2
https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165
https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64
https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1
https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51
https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480
https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-52881 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-52881 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-52881 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-52881 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by [email protected]

    Nov. 06, 2025

    Action Type Old Value New Value
    Added Description runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.
    Added CVSS V4.0 AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-363
    Added CWE CWE-61
    Added Reference http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322
    Added Reference http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3
    Added Reference https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md
    Added Reference https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557
    Added Reference https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d
    Added Reference https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58
    Added Reference https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6
    Added Reference https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f
    Added Reference https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544
    Added Reference https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db
    Added Reference https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28
    Added Reference https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2
    Added Reference https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165
    Added Reference https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64
    Added Reference https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1
    Added Reference https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51
    Added Reference https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480
    Added Reference https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
    Added Reference https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
    Added Reference https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 7.3
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability