CVE-2025-31133

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/31xxx/CVE-2025-31133.json",
    "cwe_ids": [
        "CWE-363",
        "CWE-61"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/opencontainers/runc

Affected ranges

Type

GIT

Repo

https://github.com/opencontainers/runc

Events

Introduced

Fixed

eeb7e6024f9ee43876301b1d23c353384fa6dcdd

Introduced

4ca628d1d4c974f92d24daccb901aa078aad748e

Fixed

d842d7719497cc3b774fd71620278ac9e17710e0

Fixed

1a30a8f3d921acbbb6a4bb7e99da2c05f8d48522

Fixed

5d7b2424072449872d1cd0c937f2ca25f418eb66

Fixed

8476df83b534a2522b878c0507b3491def48db9f

Fixed

db19bbed5348847da433faa9d69e9f90192bfa64

Database specific

{
    "cpe": "cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.2.8"
        },
        {
            "introduced": "1.3.0"
        },
        {
            "fixed": "1.3.3"
        }
    ]
}

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v1.*

v1.0.0-rc2

v1.2.0

v1.2.0-rc.3

v1.3.0-rc.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-31133.json"