CVE-2025-31133

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-31133
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-31133.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-31133
Aliases
Downstream
Related
Published
2025-11-06T18:47:47Z
Modified
2025-11-11T02:54:55.701542Z
Severity
  • 7.3 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
runc container escape via "masked path" abuse due to mount race conditions
Details

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Database specific 
{
    "cwe_ids": [
        "CWE-363",
        "CWE-61"
    ]
}
References

Affected packages

Git / github.com/opencontainers/runc

Affected ranges

Type
GIT
Repo
https://github.com/opencontainers/runc
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
eeb7e6024f9ee43876301b1d23c353384fa6dcdd
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.2.8"
        }
    ]
}
Type
GIT
Repo
https://github.com/opencontainers/runc
Events
Introduced
a00ce11e91eb54c9c1bdfd773d13d4cdd41bb206
Fixed
d842d7719497cc3b774fd71620278ac9e17710e0
Database specific 
{
    "versions": [
        {
            "introduced": "1.3.0-rc.1"
        },
        {
            "fixed": "1.3.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/opencontainers/runc
Events
Introduced
b2ec7f9201cd52f0e3a8d83bc0b25da41239cb2c
Last affected
6c7d8ad6020f79a1c6cec2930f3016ee4c2e5138
Database specific 
{
    "versions": [
        {
            "introduced": "1.4.0-rc.1"
        },
        {
            "last_affected": "1.4.0-rc.3"
        }
    ]
}

Affected versions

v0.*

v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1

v1.*

v1.0.0
v1.0.0-rc1
v1.0.0-rc10
v1.0.0-rc2
v1.0.0-rc3
v1.0.0-rc4
v1.0.0-rc5
v1.0.0-rc6
v1.0.0-rc7
v1.0.0-rc8
v1.0.0-rc9
v1.0.0-rc90
v1.0.0-rc91
v1.0.0-rc92
v1.0.0-rc93
v1.0.0-rc94
v1.0.0-rc95
v1.1.0
v1.1.0-rc.1
v1.2.0
v1.2.0-rc.1
v1.2.0-rc.2
v1.2.0-rc.3
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.3.0
v1.3.0-rc.1
v1.3.0-rc.2
v1.3.1
v1.3.2
v1.4.0-rc.1
v1.4.0-rc.2
v1.4.0-rc.3