
PEACH
Un cadre d’isolation des locataires
CVE-2026-41579 is a UNIX symbolic link (symlink) following vulnerability in runc, the OCI-compliant container runtime, that allows a malicious container image to trigger limited host filesystem integrity violations. When setting up the container rootfs, the setupPtmx and setupDevSymlinks functions use os.Remove and os.Symlink with filepath.Join-constructed paths, which can be manipulated if the container image contains /dev as a symlink. Affected versions include runc prior to 1.3.6, 1.4.0 through 1.4.2, and 1.5.0-rc.1 through 1.5.0-rc.2. The vulnerability was first reported on June 13, 2026, and publicly disclosed on June 22, 2026. It carries a CVSS v3.1 base score of 3.3 (Low) and a CVSS v4.0 base score of 4.8 (Medium) (Github Advisory, runc Security Advisory).
The root cause is improper symlink resolution (CWE-61: UNIX Symbolic Link Following) in runc's container rootfs initialization code. The setupPtmx and setupDevSymlinks functions operate on host paths constructed via filepath.Join(rootfs, ...) before pivot_root(2) is called, meaning a container image that places a symlink at /dev pointing to an arbitrary host directory can cause runc to perform file operations (deletion or symlink creation) outside the container's intended filesystem scope. The fix, implemented in commit 864db8042dbb, refactors these codepaths to be fd-based using UnlinkInRoot and SymlinkInRoot, which safely scope all operations within the container rootfs file descriptor. Docker is not affected because it creates a top-level read-only overlay layer that masks any malicious /dev symlink before runc processes the image; however, Podman and containerd (which do not implement this masking) remain exposed (Github Advisory, Fix Commit).
Successful exploitation allows an attacker with control over a container image to cause runc to delete a host file named ptmx in an arbitrary pre-existing directory, or to create a hardcoded set of symlinks (core → /proc/kcore, fd → /proc/self/fd/, ptmx → pts/ptmx, stdin → /proc/self/fd/0, stdout → /proc/self/fd/1, stderr → /proc/self/fd/2) in that directory. There is no confidentiality impact, and availability impact is limited — notably, /dev/pts/ptmx cannot be unlinked by devpts regardless of privileges, and /dev/ptmx itself is protected by a symlink loop detection. The primary risk is host filesystem integrity pollution, with a theoretical (but difficult to achieve in practice) path to service disruption if critical host files are affected (Github Advisory, runc Security Advisory).
/dev is replaced with a symbolic link pointing to a target host directory (e.g., /tmp/target or another pre-existing directory on the host).setupPtmx or setupDevSymlinks during rootfs initialization, it resolves the /dev symlink and operates on the host path.ptmx in the target host directory, and/or creates the hardcoded set of symlinks (core, fd, ptmx, stdin, stdout, stderr) with fixed targets in that directory, polluting the host filesystem (Github Advisory, runc Security Advisory).core, fd, ptmx, stdin, stdout, or stderr appearing in host directories outside of /dev; unexpected deletion of a file named ptmx in a host directory./dev symlink resolution.unlink or symlink syscalls targeting paths outside the expected container rootfs during container initialization (Github Advisory).Update runc to version 1.3.6, 1.4.3, or 1.5.0-rc.3 (or later stable releases), which replace the vulnerable path-based file operations with fd-based equivalents that safely scope all operations within the container rootfs. Docker users are not affected and do not require immediate action. As a workaround, enabling user namespaces restricts the attack to directories writable by the remapped root user (typically only world-writable directories for rootless containers using /etc/sub[ug]id). SELinux (container_runtime_t label) or AppArmor rules for the host runc context may also limit the scope of affected host paths, though their effectiveness has not been fully analyzed by the maintainers (Github Advisory, runc Security Advisory).
The runc maintainers (notably Aleksa Sarai / cyphar) chose to release the fix publicly without an embargo, citing the limited practical exploitability of the vulnerability. The advisory explicitly notes that Docker users are unaffected, while Podman and containerd users are exposed. The issue was independently reported by multiple researchers including "Davias", Arthur Chan (Ada Logics), Junyi Liu, and Derek Manzella, indicating broad community attention. Brief social media discussion was observed on Bluesky and Mastodon shortly after disclosure, and the issue was picked up by vulnerability tracking services including OSV, Vulners, and ENISA's EUVD (runc Security Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."