CVE-2025-62596: 
Rust vulnerability analysis and mitigation

CVE-2025-62596 affects Youki, a container runtime written in Rust, in versions 0.5.6 and below. The vulnerability stems from insufficiently strict write-target validation in youki's apparmor handling, which when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations (GitHub Advisory). The issue was discovered and disclosed in November 2025, with a fix released in version 0.5.7.

The vulnerability involves two key technical aspects: First, youki's weak write-target check only verifies that the destination lies somewhere under procfs, allowing writes intended for /proc/self/attr/apparmor/exec to be redirected to other procfs locations. Second, during path component-by-component resolution, a shared-mount race condition can substitute intermediate components and redirect the final target. The vulnerability has been assigned a CVSS v4.0 base score of 7.3 (High), with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (GitHub Advisory).

The vulnerability can lead to container escape and denial of service through arbitrary write capabilities and procfs write redirects. The impact is rated as High across multiple dimensions including confidentiality, integrity, and availability for both vulnerable and subsequent systems (GitHub Advisory).

The vulnerability has been patched in Youki version 0.5.7. Users are advised to upgrade to this version or later to address the security issue. The fix involves implementing stricter validation for write targets and addressing the path substitution vulnerability during pathname resolution (GitHub Advisory).

The vulnerability was independently discovered by Li Fubang from acmcoder.com (CIIC) and Tõnis Tiigi from Docker, with additional research contributions from Aleksa Sarai from SUSE regarding this class of security issues and solutions (GitHub Advisory).