Three high-severity vulnerabilities (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) were disclosed in runc, the default container runtime for Docker, Podman, and Kubernetes. All three exploit race conditions to bypass restrictions on writing to /proc files, enabling full container breakouts. Attackers can leverage malicious mount configurations in Dockerfiles to escape containers and potentially compromise entire Kubernetes clusters. Users should immediately update to runc v1.4.0-rc.3, v1.3.3, or v1.2.8. Additional mitigations include using user namespaces, running containers as non-root, and implementing AppArmor/SELinux policies.
Table of contents
The vulnerabilitiesExploitation scenarios and threat modelKubernetes and cloud native implicationsAffected versions and patchesMitigationsThe bigger picture: Secure-by-default configurationsCreditsSort: