Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
container escape due to /dev/console mount and related races
Vulnerability Description
runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
CVSS Information
N/A
Vulnerability Type
CWE-61
Vulnerability Title
runc 安全漏洞
Vulnerability Description
runc是Open Container Initiative开源的一款用于根据OCI规范生成和运行容器的CLI(命令行界面)工具。 runc 1.0.0-rc3版本至1.2.7版本、1.3.0-rc.1版本至1.3.2版本和1.4.0-rc.1版本至1.4.0-rc.2版本存在安全漏洞,该漏洞源于绑定挂载/dev/pts/$n到/dev/console时检查不足,可能导致拒绝服务或容器逃逸。
CVSS Information
N/A
Vulnerability Type
N/A