{
  "threat_severity" : "Important",
  "public_date" : "2025-11-05T00:00:00Z",
  "bugzilla" : {
    "description" : "runc: container escape via 'masked path' abuse due to mount race conditions",
    "id" : "2404705",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2404705"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-59",
  "details" : [ "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.", "A flaw was found in runc. This flaw exploits an issue with how masked paths are implementedin runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write." ],
  "statement" : "Red Hat considers this as an Important flaw since the impact is limited to local attack with minimal privileges in order to jeopardize the environment.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-11-13T00:00:00Z",
    "advisory" : "RHSA-2025:21232",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "container-tools:rhel8-8100020251112161627.afee755d"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-03-17T00:00:00Z",
    "advisory" : "RHSA-2026:4693",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.8",
    "package" : "container-tools:rhel8-8080020260226135022.63b34585"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-03-17T00:00:00Z",
    "advisory" : "RHSA-2026:4693",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.8",
    "package" : "container-tools:rhel8-8080020260226135022.63b34585"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-07T00:00:00Z",
    "advisory" : "RHSA-2025:19927",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "runc-4:1.2.5-3.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20957",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "runc-4:1.3.0-4.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-03-12T00:00:00Z",
    "advisory" : "RHSA-2026:4531",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "runc-4:1.2.9-1.el9_2.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-01-12T00:00:00Z",
    "advisory" : "RHSA-2026:0425",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "runc-4:1.2.9-1.el9_4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.12",
    "release_date" : "2026-01-15T00:00:00Z",
    "advisory" : "RHSA-2026:0315",
    "cpe" : "cpe:/a:redhat:openshift:4.12::el8",
    "package" : "runc-4:1.2.9-1.rhaos4.17.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.13",
    "release_date" : "2026-01-22T00:00:00Z",
    "advisory" : "RHSA-2026:0676",
    "cpe" : "cpe:/a:redhat:openshift:4.13::el8",
    "package" : "runc-4:1.2.9-1.rhaos4.16.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.13",
    "release_date" : "2025-12-05T00:00:00Z",
    "advisory" : "RHSA-2025:22275",
    "cpe" : "cpe:/a:redhat:openshift:4.13::el9",
    "package" : "rhcos-413.92.202511261311-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2026-01-30T00:00:00Z",
    "advisory" : "RHSA-2026:0995",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el8",
    "package" : "runc-4:1.2.9-1.rhaos4.16.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.15",
    "release_date" : "2026-02-05T00:00:00Z",
    "advisory" : "RHSA-2026:1540",
    "cpe" : "cpe:/a:redhat:openshift:4.15::el8",
    "package" : "runc-4:1.2.9-1.rhaos4.16.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.15",
    "release_date" : "2026-01-07T00:00:00Z",
    "advisory" : "RHSA-2025:23113",
    "cpe" : "cpe:/a:redhat:openshift:4.15::el9",
    "package" : "rhcos-415.92.202512100122-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2026-01-15T00:00:00Z",
    "advisory" : "RHSA-2026:0418",
    "cpe" : "cpe:/a:redhat:openshift:4.16::el8",
    "package" : "runc-4:1.2.9-1.rhaos4.16.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2025-11-27T00:00:00Z",
    "advisory" : "RHSA-2025:21824",
    "cpe" : "cpe:/a:redhat:openshift:4.16::el9",
    "package" : "rhcos-416.94.202511191934-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.17",
    "release_date" : "2026-01-22T00:00:00Z",
    "advisory" : "RHSA-2026:0701",
    "cpe" : "cpe:/a:redhat:openshift:4.17::el9",
    "package" : "runc-4:1.2.9-1.rhaos4.17.el9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.18",
    "release_date" : "2026-01-15T00:00:00Z",
    "advisory" : "RHSA-2026:0331",
    "cpe" : "cpe:/a:redhat:openshift:4.18::el8",
    "package" : "runc-4:1.2.9-1.rhaos4.18.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.18",
    "release_date" : "2025-11-27T00:00:00Z",
    "advisory" : "RHSA-2025:21795",
    "cpe" : "cpe:/a:redhat:openshift:4.18::el9",
    "package" : "rhcos-418.94.202511170715-0"
  }, {
    "product_name" : "Red Hat Quay 3.16",
    "release_date" : "2026-02-12T00:00:00Z",
    "advisory" : "RHSA-2026:2681",
    "cpe" : "cpe:/a:redhat:quay:3.16::el9",
    "package" : "quay/quay-builder-rhel9:sha256:146699ff1cd4f8fdf19594ad5ce11dcafe9f8a266c94b104826c871b675f92e1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift-clients",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-31133\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-31133\nhttps://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2" ],
  "name" : "CVE-2025-31133",
  "mitigation" : {
    "value" : "Potential mitigations for this issue include:\n* Using user namespaces, with the host root user not mapped into the container's namespace. procfs file permissions are managed using Unix\nDAC and thus user namespaces stop a container process from being able to write to them.\n* Not running as a root user in the container (this includes disabling setuid binaries with noNewPrivileges). As above, procfs file permissions are managed using Unix DAC and thus non-root users cannot write to them.\n* Depending on the maskedPath configuration (the default configuratio nonly masks paths in /proc and /sys), using an AppArmor that blocks unexpectedwrites to any maskedPaths (as is the case with the defaultprofile used by Docker and Podman) will block attempts to exploit this issue. However, CVE-2025-52881 allows an attacker to bypass LSMlabels, and so this mitigation is not helpful when considered incombination with CVE-2025-52881.",
    "lang" : "en:us"
  },
  "csaw" : false
}