New runc vulnerabilities allow container escape: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881

On November 5, 2025, a researcher from SUSE disclosed three vulnerabilities affecting runc, a container runtime used by platforms like Docker and Kubernetes, which could potentially allow attackers to bypass container isolation and gain root access to the host system. These vulnerabilities involve exploiting race mount conditions and procfs write redirects, requiring the ability to start containers with custom mount configurations, thus making untrusted container images and Dockerfiles likely delivery methods for exploits. The vulnerabilities, identified as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, exploit various flaws in runc's handling of maskedPaths and /dev/console mount races, as well as LSM bypass techniques. The Sysdig Threat Research Team has provided recommendations for mitigations and detections, urging users to update to runc versions 1.2.8, 1.3.3, or 1.4.0-rc.3 or later, enable user namespaces, use rootless containers, and apply vendor patches. No active exploits have been identified, but detection tools like Sysdig Secure and Falco can monitor suspicious symlink behaviors to prevent potential exploitation.