CVE-2025-31133: 
Podman vulnerability analysis and mitigation

CVE-2025-31133 is a high-severity vulnerability discovered in runc's implementation of maskedPaths feature. The vulnerability was discovered in August 2025, affecting runc versions <=1.2.7, <=1.3.2, and <=1.4.0-rc.2. The issue involves a use-after-free vulnerability in the maskedPaths feature that allows attackers to potentially escape container isolation through mount race conditions (GitHub Advisory).

The vulnerability stems from insufficient verification of the source of bind-mounts when using the container's /dev/null to mask files. When implementing the maskedPaths feature, runc failed to properly verify that the source of the bind-mount was actually a real /dev/null inode. The vulnerability has received a CVSS v4.0 score of 7.3 (High) with the vector CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (GitHub Advisory).

The vulnerability can lead to two distinct attack scenarios: 1) Arbitrary Mount Gadget attack enabling host information disclosure, host denial of service, or container escape through bind-mounting of sensitive files like /proc/sysrq-trigger or /proc/sys/kernel/core_pattern, and 2) Complete bypass of maskedPaths protection, allowing access to sensitive host information from typically masked files in /proc (GitHub Advisory).

Several mitigation strategies have been released: 1) Use containers with user namespaces where the host root user is not mapped into the container's user namespace, 2) Configure containers to not permit processes to run with root privileges, 3) Enable noNewPrivileges to disable setuid or set-capability binaries, 4) Avoid running untrusted container images from unknown sources. The vulnerability has been patched in runc versions 1.2.8, 1.3.3, and 1.4.0-rc.3 (GitHub Advisory).