{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-52565","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-06-18T03:55:52.036Z","datePublished":"2025-11-06T20:02:58.513Z","dateUpdated":"2025-11-06T21:32:19.129Z"},"containers":{"cna":{"title":"container escape due to /dev/console mount and related races","problemTypes":[{"descriptions":[{"cweId":"CWE-61","lang":"en","description":"CWE-61: UNIX Symbolic Link (Symlink) Following","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-363","lang":"en","description":"CWE-363: Race Condition Enabling Link Following","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","baseScore":8.4,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H","version":"4.0"}}],"references":[{"name":"https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r","tags":["x_refsource_CONFIRM"],"url":"https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"},{"name":"https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4","tags":["x_refsource_MISC"],"url":"https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4"},{"name":"https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398","tags":["x_refsource_MISC"],"url":"https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398"},{"name":"https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e","tags":["x_refsource_MISC"],"url":"https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e"},{"name":"https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d","tags":["x_refsource_MISC"],"url":"https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d"},{"name":"https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a","tags":["x_refsource_MISC"],"url":"https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a"},{"name":"https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64","tags":["x_refsource_MISC"],"url":"https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"},{"name":"https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8","tags":["x_refsource_MISC"],"url":"https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8"},{"name":"https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480","tags":["x_refsource_MISC"],"url":"https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"}],"affected":[{"vendor":"opencontainers","product":"runc","versions":[{"version":">= 1.0.0-rc3, < 1.2.8","status":"affected"},{"version":">= 1.3.0-rc.1, < 1.3.3","status":"affected"},{"version":">= 1.4.0-rc.1, < 1.4.0-rc.3","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2025-11-06T20:02:58.513Z"},"descriptions":[{"lang":"en","value":"runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3."}],"source":{"advisory":"GHSA-qw9x-cqr3-wc7r","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-11-06T21:32:07.457681Z","id":"CVE-2025-52565","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-11-06T21:32:19.129Z"}}]}}