A set of high-severity vulnerabilities in runc were publicly disclosed in November 2025, allowing for full container breakouts. Runc is the cornerstone of…

CNCF's platform is a leading organization driving cloud-native technologies and standards, offering insights into container orchestration, microservices architecture, and cloud-native infrastructure. Through whitepapers, case studies, and community events, CNCF provides insights into adopting cloud-native practices and technologies. Developers and DevOps teams can learn about Kubernetes, Prometheus, and other CNCF projects to build and operate scalable and resilient cloud-native applications.

CNCF

Three high-severity vulnerabilities (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) were disclosed in runc, the default container runtime for Docker, Podman, and Kubernetes. All three exploit race conditions to bypass restrictions on writing to /proc files, enabling full container breakouts. Attackers can leverage malicious mount configurations in Dockerfiles to escape containers and potentially compromise entire Kubernetes clusters. Users should immediately update to runc v1.4.0-rc.3, v1.3.3, or v1.2.8. Additional mitigations include using user namespaces, running containers as non-root, and implementing AppArmor/SELinux policies.

runc container breakout vulnerabilities: A technical overview

The bigger picture: Secure-by-default configurations