CVE-2025-31133

Name of the Vulnerable Software and Affected Versions runc versions 1.2.0 through 1.2.7 runc versions 1.3.0-rc.1 through 1.3.1 runc versions 1.4.0-rc.1 through 1.4.0-rc.2

Description runc is a CLI tool for spawning and running containers according to the OCI specification. A race condition in the maskedPaths function allows for symlink following because the tool fails to sufficiently verify that the source of the bind-mount (such as the container's /dev/null) is an actual /dev/null inode when used for masking. This can lead to an arbitrary mount gadget, enabling host information disclosure, host denial of service, container escape, or the bypassing of maskedPaths, impacting the confidentiality, integrity, and availability of protected information.

Recommendations Update versions 1.2.0 through 1.2.7 to 1.2.8. Update versions 1.3.0-rc.1 through 1.3.1 to 1.3.3. Update versions 1.4.0-rc.1 through 1.4.0-rc.2 to 1.4.0-rc.3.