Some Docker containers may not be as secure as they like, experts warn

News
By published

Three high-severity flaws discovered

malware
(Image credit: Elchinator from Pixabay)
  • Three runC flaws could allow container escape and host access with admin privileges
  • Bugs affect Docker/Kubernetes setups using custom mounts and older runC versions
  • Mitigation includes user namespaces and rootless containers to limit exploit impact

The runC container runtime, used in both Docker and Kubernetes, carried three high-severity vulnerabilities that could be used to access the underlying system, security researchers have warned.

Security researcher Aleksa Sarai disclosed discovering CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, three bugs that, when chained together, granted access to the underlying container host with admin privileges.

runC is a lightweight, low-level container runtime used to create and run containers on Linux systems - making it basically the component that starts and manages containers on a machine.

No evidence of abuse

CVE-2025-31133, with a severity score of 7.3/10 (high), stemmed from the fact that runc wouldn't perform sufficient verifications, leading to information disclosure, denial of service, and even container escape.

CVE-2025-52565, another insufficient checks flaw, also leads to denial of service. This bug was given a 8.4/10 score, while the final, CVE-2025-52881, was described as a race condition in runc, allowing an attacker to redirect /proc writes via shared mounts. This one was given a score of 7.3/10 (high).

To abuse the flaws, the attackers would first need to be able to start containers with custom mount configurations, researchers from Sysdig noted, stressing that, in theory, it could be achieved through malicious container images or Dockerfiles.

All three bugs are affecting versions 1.2.7, 1.3.2 and 1.4.0-rc.2, and were fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

Fortunately, there are currently no reports of any of the three bugs being actively abused in the wild, and runC developers have been sharing mitigation actions, including activating user namespaces for all containers without mapping the host root user into the container’s namespace.

“This precaution should block the most important parts of the attack because of the Unix DAC permissions that would prevent namespaced users from accessing relevant files,” it reported, adding that using rootless containers is also recommended, since this reduces the potential damage from exploiting the flaws.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.