runc v1.4.0-rc.3 -- "その日、人類は思い出した。"
[!NOTE] Some vendors were given patches corresponding to this release in advance. This public release includes two extra patches to fix regressions discovered very late during the embargo period and were thus not included in the pre-release versions. Please update to this version.
Security
This release includes fixes for the following high-severity security issues:
-
CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's
/dev/nullinode on top of the file. However, if an attacker can replace/dev/nullwith a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions. -
CVE-2025-52565 is very similar in concept and application to , except that it exploits a flaw in bind-mounts. When creating the bind-mount (to ), if an attacker replaces with a symlink then runc will bind-mount the symlink target over . This issue affected all versions of runc >= 1.0.0-rc3.