CVE-2025-52565: 
Podman vulnerability analysis and mitigation

CVE-2025-52565 is a container escape vulnerability discovered in runc that affects versions >=v1.0.0-rc3 through 1.2.7, 1.3.2, and 1.4.0-rc2. The vulnerability stems from insufficient checks when bind-mounting /dev/pts/$n to /dev/console inside containers, which occurs before maskedPaths and readonlyPaths are applied (GHSA Advisory).

The vulnerability allows an attacker to trick runc into bind-mounting paths that would normally be made read-only or be masked onto a path that the attacker can write to. While this happens after pivotroot(2) and cannot be used to write to host files directly, it can lead to denial of service or container breakout by providing the attacker with writable access to sensitive files like /proc/sysrq-trigger or /proc/sys/kernel/corepattern. The vulnerability has been assigned a CVSS v4.0 score of 7.3 (High) with vector CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (GHSA Advisory).

The successful exploitation of this vulnerability can lead to container breakout, allowing an attacker to escape container isolation. Additionally, it can be used for denial of service attacks against the host system. The attack provides the attacker with write access to typically restricted files, which can be leveraged to compromise host system security (GHSA Advisory).

Several mitigations are available: 1) Use containers with user namespaces where the host root user is not mapped into the container's user namespace, 2) Configure containers to not permit processes to run with root privileges and enable noNewPrivileges, 3) Avoid running untrusted container images from unknown sources, 4) Update to patched versions: runc 1.2.8, 1.3.3, or 1.4.0-rc.3. The default SELinux policy provides some mitigation, though this can be bypassed when combined with CVE-2025-52881 (GHSA Advisory).