CVE-2025-52565

Source
https://cve.org/CVERecord?id=CVE-2025-52565
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52565.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-52565
Aliases
Downstream
Related
Published
2025-11-06T20:02:58.513Z
Modified
2026-07-08T07:32:12.443329896Z
Severity
  • 8.4 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H CVSS Calculator
Summary
container escape due to /dev/console mount and related races
Details

runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting /dev/pts/$n to /dev/console inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of /dev/pts/$n to /dev/console as configured for all containers that allocate a console). This happens after pivot_root(2), so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of /proc/sysrq-trigger or /proc/sys/kernel/core_pattern (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52565.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-363",
        "CWE-61"
    ]
}
References

Affected packages

Git / github.com/opencontainers/runc

Affected ranges

Type
GIT
Repo
https://github.com/opencontainers/runc
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING",
        "REFERENCES"
    ],
    "cpe": [
        "cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*",
        "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*",
        "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*",
        "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*",
        "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc7:*:*:*:*:*:*",
        "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc8:*:*:*:*:*:*",
        "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc9:*:*:*:*:*:*",
        "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc90:*:*:*:*:*:*",
        "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc91:*:*:*:*:*:*",
        "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc92:*:*:*:*:*:*",
        "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc93:*:*:*:*:*:*",
        "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc94:*:*:*:*:*:*",
        "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc95:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "1.0.1"
        },
        {
            "fixed": "1.2.8"
        },
        {
            "introduced": "1.3.0"
        },
        {
            "fixed": "1.3.3"
        },
        {
            "introduced": "1.0.0-rc3"
        },
        {
            "last_affected": "1.0.0-rc3"
        },
        {
            "introduced": "1.0.0-rc4"
        },
        {
            "last_affected": "1.0.0-rc4"
        },
        {
            "introduced": "1.0.0-rc5"
        },
        {
            "last_affected": "1.0.0-rc5"
        },
        {
            "introduced": "1.0.0-rc6"
        },
        {
            "last_affected": "1.0.0-rc6"
        },
        {
            "introduced": "1.0.0-rc7"
        },
        {
            "last_affected": "1.0.0-rc7"
        },
        {
            "introduced": "1.0.0-rc8"
        },
        {
            "last_affected": "1.0.0-rc8"
        },
        {
            "introduced": "1.0.0-rc9"
        },
        {
            "last_affected": "1.0.0-rc9"
        },
        {
            "introduced": "1.0.0-rc90"
        },
        {
            "last_affected": "1.0.0-rc90"
        },
        {
            "introduced": "1.0.0-rc91"
        },
        {
            "last_affected": "1.0.0-rc91"
        },
        {
            "introduced": "1.0.0-rc92"
        },
        {
            "last_affected": "1.0.0-rc92"
        },
        {
            "introduced": "1.0.0-rc93"
        },
        {
            "last_affected": "1.0.0-rc93"
        },
        {
            "introduced": "1.0.0-rc94"
        },
        {
            "last_affected": "1.0.0-rc94"
        },
        {
            "introduced": "1.0.0-rc95"
        },
        {
            "last_affected": "1.0.0-rc95"
        }
    ]
}

Affected versions

1.*
1.0.0-rc3
1.0.0-rc4
1.0.0-rc5
1.0.0-rc6
1.0.0-rc7
1.0.0-rc8
1.0.0-rc9
1.0.0-rc90
1.0.0-rc91
1.0.0-rc92
1.0.0-rc93
1.0.0-rc94
1.0.0-rc95

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52565.json"