{"id":"CVE-2025-31133","summary":"runc container escape via \"masked path\" abuse due to mount race conditions","details":"runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.","aliases":["GHSA-9493-h29p-rfm2","GO-2025-4096"],"modified":"2026-04-28T18:29:21.656156166Z","published":"2025-11-06T18:47:47.335Z","related":["ALSA-2025:19927","ALSA-2025:20957","ALSA-2025:21232","CGA-j6fg-v38r-fmwc","SUSE-SU-2025:21036-1","SUSE-SU-2025:21038-1","SUSE-SU-2025:21054-1","SUSE-SU-2025:21072-1","SUSE-SU-2025:21136-1","SUSE-SU-2025:3950-1","SUSE-SU-2025:3951-1","SUSE-SU-2025:4073-1","SUSE-SU-2025:4073-2","SUSE-SU-2025:4077-1","SUSE-SU-2025:4079-1","SUSE-SU-2025:4080-1","SUSE-SU-2025:4081-1","SUSE-SU-2026:0327-1","SUSE-SU-2026:20103-1","SUSE-SU-2026:20116-1","SUSE-SU-2026:20123-1","SUSE-SU-2026:20214-1","SUSE-SU-2026:20626-1","SUSE-SU-2026:20641-1","SUSE-SU-2026:21291-1","openSUSE-SU-2025:15705-1","openSUSE-SU-2025:20072-1","openSUSE-SU-2026:10073-1","openSUSE-SU-2026:20072-1","openSUSE-SU-2026:20080-1","openSUSE-SU-2026:20140-1","openSUSE-SU-2026:20305-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-363","CWE-61"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/31xxx/CVE-2025-31133.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/31xxx/CVE-2025-31133.json"},{"type":"ADVISORY","url":"https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-31133"},{"type":"FIX","url":"https://github.com/opencontainers/runc/commit/1a30a8f3d921acbbb6a4bb7e99da2c05f8d48522"},{"type":"FIX","url":"https://github.com/opencontainers/runc/commit/5d7b2424072449872d1cd0c937f2ca25f418eb66"},{"type":"FIX","url":"https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f"},{"type":"FIX","url":"https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opencontainers/runc","events":[{"introduced":"0"},{"fixed":"eeb7e6024f9ee43876301b1d23c353384fa6dcdd"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.2.8"}]}},{"type":"GIT","repo":"https://github.com/opencontainers/runc","events":[{"introduced":"a00ce11e91eb54c9c1bdfd773d13d4cdd41bb206"},{"fixed":"d842d7719497cc3b774fd71620278ac9e17710e0"}],"database_specific":{"versions":[{"introduced":"1.3.0-rc.1"},{"fixed":"1.3.3"}]}},{"type":"GIT","repo":"https://github.com/opencontainers/runc","events":[{"introduced":"b2ec7f9201cd52f0e3a8d83bc0b25da41239cb2c"},{"last_affected":"6c7d8ad6020f79a1c6cec2930f3016ee4c2e5138"}],"database_specific":{"versions":[{"introduced":"1.4.0-rc.1"},{"last_affected":"1.4.0-rc.3"}]}}],"versions":["v0.0.1","v0.0.2","v0.0.3","v0.0.4","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v1.0.0-rc2","v1.2.0","v1.2.0-rc.3","v1.3.0-rc.1","v1.4.0-rc.1","v1.4.0-rc.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-31133.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}