runc: /proc Redirect via Race in 1.2.7-1.4.0-rc.2
CVE-2025-52881 Published on November 6, 2025

runc: LSM labels can be bypassed with malicious config using dummy procfs files
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

Github Repository Github Repository NVD

Weakness Types

What is a Symlink following Vulnerability?

The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. A software system that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.

CVE-2025-52881 has been classified to as a Symlink following vulnerability or weakness.

Race Condition Enabling Link Following

The software checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the software to access the wrong file. While developers might expect that there is a very narrow time window between the time of check and time of use, there is still a race condition. An attacker could cause the software to slow down (e.g. with memory consumption), causing the time window to become larger. Alternately, in some situations, the attacker could win the race by performing a large number of attacks.

Products Associated with CVE-2025-52881

stack.watch emails you whenever new vulnerabilities are published in Amazon Aws or Canonical Ubuntu Linux. Just hit a watch button to start following.

Amazon Aws

Canonical Ubuntu Linux

Affected Versions

opencontainers runc:

Version <= 1.2.7, < 1.2.8 is affected.
Version <= 1.3.2, < 1.3.3 is affected.
Version <= 1.4.0-rc.2, < 1.4.0-rc.3 is affected.

Exploit Probability

EPSS

0.03%

Percentile

9.20%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.