CVE-2025-62596: 
Rust vulnerability analysis and mitigation

Youki, a container runtime written in Rust, contains a vulnerability (CVE-2025-62596) in versions 0.5.6 and below where the apparmor handling performs insufficiently strict write-target validation. The vulnerability was disclosed on November 5, 2025, and affects the container's security boundaries. The issue has been fixed in version 0.5.7 (GitHub Advisory).

The vulnerability stems from insufficient write-target validation in youki's apparmor handling system. When combined with path substitution during pathname resolution, it can allow writes to unintended procfs locations. The weak write-target check only verifies that the destination lies somewhere under procfs, which means a write intended for /proc/self/attr/apparmor/exec can be redirected to other locations like /proc/sys/kernel/hostname. The vulnerability has received a CVSS v4.0 score of 7.3 (High) with vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H, and a CVSS v3.1 score of 10.0 (Critical) (NVD).

The vulnerability can lead to container escape and denial of service through arbitrary write gadgets and procfs write redirects. While resolving a path component-by-component, a shared-mount race can substitute intermediate components and redirect the final target, potentially allowing an attacker to write to unintended locations within the procfs filesystem (GitHub Advisory).

The vulnerability has been patched in Youki version 0.5.7. The fix includes implementing stricter write-target validation and improved handling of path resolution. Users are advised to upgrade to version 0.5.7 or later to mitigate this vulnerability (GitHub Advisory).

The vulnerability was independently discovered by Li Fubang from acmcoder.com (CIIC) and Tõnis Tiigi from Docker. Aleksa Sarai from SUSE contributed original research into this class of security issues and solutions (GitHub Advisory).