RunC Container Escape: What Docker and Kubernetes Users Need to Know

Summary

Recently, three high severity vulnerabilities were disclosed in runC, the low-level container runtime used by Docker, containerd, Kubernetes, and other container platforms. By exploiting these vulnerabilities, it is possible to bypass container isolation boundaries and break out of the container to the underlying host.‍What is runC?runC is the low-level container runtime that Docker, containerd, Kubernetes, CRI-O and others rely on to actually create containers and set up their isolation. While it exposes a CLI, its real role is behind the scenes: configuring namespaces, cgroups, mounts, and setting up the container’s filesystem and other interfaces before your container process starts. ‍Why runC Vulnerabilities Matter for Docker and Kubernetes SecurityBecause runC is responsible for container isolation, any vulnerability affecting runC potentially affects the security boundary between the isolated container and the underlying host. This is why, for example, any workload running on top of Kubernetes can be affected.‍Breaking Down CVE-2025-31133: “Masking” Turns Into Arbitrary Mount GadgetThe OCI runtime specification has a maskedPath feature that is supposed to hide sensitive files and directories (e.g. /proc/kcore, /proc/sysrq-trigger) by mounting something harmless on top. This protects against privileged users in non-user-namespaced being able to write to files or access directories that would provide sensitive information or allow containers to perform destructive or other privileged operations on the host. Files are masked by mounting the container’s /dev/null on top of the masked path.In vulnerable versions of runC, the issue is that runC didn’t verify that the source of the bind-mount (container’s /dev/null) was a real /dev/null. If an attacker races and swaps it with a symlink to an attacker-controlled path, they could cause runC to bind-mount an arbitrary source path to a path inside the container, which can lead to a container escape.‍Breaking Down CVE-202...