Several vulnerabilities discovered recently in the Runc container runtime can be exploited to escape containers and gain root access to the host system.
Runc is the low-level tool designed for creating and running containers. It’s used by Kubernetes, Docker, and other platforms.
Aleksa Sarai of SUSE Linux revealed last week that he and several other researchers discovered and reported potentially serious vulnerabilities that can lead to “full container breakouts”.
Runc updates that should patch the vulnerabilities have been released. Some affected vendors were notified ahead of public disclosure, and companies such as Red Hat and AWS have released their own advisories to inform customers of the impact of the security holes.
The vulnerabilities are tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, and they can be exploited using malicious containers.
“[The] attacks rely on starting containers with custom mount configurations — if you do not run untrusted container images from unknown or unverified sources then these attacks would not be possible to exploit,” Sarai noted.
The vulnerabilities have all been assigned a CVSS score of 4.0, which puts them in the ‘medium severity’ category. However, Sarai pointed out that these scores “are based on the threat model from *runc’s point of view*” and their severity would be much higher from the perspective of “network-enabled systems like Docker or Kubernetes”.
While there is no evidence of in-the-wild exploitation, security companies such as Sysdig have added exploitation detections to their products.
Related: Echo Raises $15M in Seed Funding for Vulnerability-Free Container Images
Related: Exposed Docker APIs Likely Exploited to Build Botnet
Related: Trend Micro Flags Incomplete Nvidia Patch That Leaves AI Containers Exposed
