CVE-2025-52881: 
cAdvisor vulnerability analysis and mitigation

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts. The vulnerability was discovered on November 5, 2025 and affects all known versions up to the specified versions. The issue has been fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3 (NVD).

The vulnerability allows redirecting runc writes to /proc files using a race condition with shared mounts. Attackers can bypass Linux Security Module (LSM) labels by tricking runc into writing to fake procfs files instead of the intended security label files. This redirect could be through symbolic links in a tmpfs or other methods such as regular bind-mounts. The attack is possible to exploit using a standard Dockerfile with docker buildx build that permits triggering parallel execution of containers with custom shared mounts configured. The vulnerability has been assigned a CVSS v4.0 score of 7.3 (High) with vector CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (Sysdig, GitHub Advisory).

The vulnerability can allow attackers to redirect sysctl writes containing arbitrary text to dangerous files like /proc/sysrq-trigger or /proc/sys/kernel/core_pattern that can crash the system or escape the container. This could lead to container escape, host denial of service, or complete root privileges over the host system. The attack affects all writes to /proc in runc, including sysctls and security labels (GitHub Advisory).

The recommended mitigations include: 1) Update runc to version 1.2.8, 1.3.3, or 1.4.0-rc.3 or later, 2) Enable user namespaces for all containers to block the most serious attack vectors, 3) Use rootless containers where possible to limit the scope of vulnerabilities, 4) Apply vendor patches from AWS, ECS, EKS and other platforms released as of November 5, 2025, 5) Do not run untrusted container images from unknown or unverified sources (GitHub Advisory).

Multiple container runtime vendors including crun, youki, and LXC were notified of the vulnerability. Both crun and youki were found to have similar security issues and coordinated security releases alongside runc. LXC acknowledged vulnerability in some aspects but maintained their stance that non-user-namespaced containers are fundamentally insecure by design (GitHub Advisory).