Wiz
Vulnerability DatabaseCVE-2025-52565

CVE-2025-52565
cAdvisor vulnerability analysis and mitigation

Overview

runc is a CLI tool for spawning and running containers according to the OCI specification. The vulnerability (CVE-2025-52565) affects versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2. The issue was discovered and disclosed on November 5, 2025, and involves insufficient checks when bind-mounting /dev/pts/$n to /dev/console inside containers (GitHub Advisory, NVD).

Technical details

The vulnerability stems from insufficient validation during the bind-mounting of /dev/pts/$n to /dev/console during container initialization. This operation happens after pivot_root(2) and before maskedPaths and readonlyPaths protections are applied. The flaw allows attackers to redirect this mount and gain write access to protected procfs files. The vulnerability has been assigned a CVSS v4.0 base score of 7.3 (High) with the vector CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (GitHub Advisory).

Impact

While this vulnerability cannot be used to write to host files directly, it can lead to denial of service of the host or container breakout by providing the attacker with a writable copy of /proc/sysrq-trigger or /proc/sys/kernel/core_pattern. The attack allows bypassing container isolation mechanisms by manipulating mount targets to bypass security restrictions (Sysdig Blog).

Mitigation and workarounds

The issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3. Recommended mitigations include: using containers with user namespaces (with host root user not mapped into container's namespace), configuring containers to not permit processes to run with root privileges, and avoiding running untrusted container images. The default containers-selinux SELinux policy provides some mitigation as the /dev/console bind-mount does not get relabeled (AWS Security Bulletin, GitHub Advisory).

Community reactions

Major cloud providers and Linux distributions have responded quickly to the vulnerability. AWS has released updated Amazon ECS-Optimized AMIs and is automatically updating Fargate tasks. Red Hat has issued security advisories and patches for affected versions. Ubuntu has also provided fixed packages for supported releases (AWS Security Bulletin, Red Hat Security Advisory).

Additional resources

SourceThis report was generated using AI

Related cAdvisor vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-65637HIGH7.5
  • cAdvisorcAdvisor
  • src-fingerprint-fips
NoYesDec 04, 2025
CVE-2025-61729HIGH7.5
  • cAdvisorcAdvisor
  • consul-k8s-fips-1.5
NoYesDec 02, 2025
CVE-2025-61727MEDIUM6.5
  • cAdvisorcAdvisor
  • gitaly-fips-18.6
NoYesDec 03, 2025
CVE-2025-58181MEDIUM5.3
  • cAdvisorcAdvisor
  • kuma-2.11
NoYesNov 19, 2025
CVE-2025-47914MEDIUM5.3
  • cAdvisorcAdvisor
  • atlantis-fips
NoYesNov 19, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo