{"id":"CVE-2026-41579","summary":"runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations","details":"runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join string which allow an image with /dev as a symlink to trick runc into deleting files called ptmx on the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This issue is not exploitable under Docker, because Docker creates a top-level read-only layer that masks any malicious /dev symlink present in the container image — unlike some other Linux container tooling, whose higher-level runtimes built on runc remain exposed to exploitation via a malicious image. This issue has been fixed in versions 1.3.6, 1.4.3 and 1.5.0.","aliases":["GHSA-xjvp-4fhw-gc47","GO-2026-5761"],"modified":"2026-07-15T01:49:16.526224196Z","published":"2026-07-01T00:02:08.639Z","related":["CGA-7mfv-w6hr-8fv2"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-61"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41579.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41579.json"},{"type":"ADVISORY","url":"https://github.com/opencontainers/runc/security/advisories/GHSA-xjvp-4fhw-gc47"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41579"},{"type":"FIX","url":"https://github.com/opencontainers/runc/commit/864db8042dbb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opencontainers/runc","events":[{"introduced":"0"},{"fixed":"491b69bab9fa206b984fb26ba07d3110d62e671f"},{"introduced":"8bd78a9977e604c4d5f67a7415d7b8b8c109cdc4"},{"fixed":"bb14dabeb7185bb72c8c86735d090dcb20f36587"},{"fixed":"864db8042dbb"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.3.6"},{"introduced":"1.4.0"},{"fixed":"1.4.3"}]}}],"versions":["v1.4.0-rc.1","v1.3.0-rc.1","v1.2.0-rc.3","v1.0.0-rc2","v0.0.8","v0.0.7","v0.0.6","v0.0.5","v0.0.4","v0.0.2","v0.0.3","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41579.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}]}