Vulnerability-Lookup

CVE-2025-52881 (GCVE-0-2025-52881)

Vulnerability from cvelistv5 – Published: 2025-11-06 20:23 – Updated: 2025-11-06 21:07

Title

runc: LSM labels can be bypassed with malicious config using dummy procfs files

Summary

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

Severity

7.3 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following
CWE-363 - Race Condition Enabling Link Following

Assigner

GitHub_M

References

20 references

URL	Tags
https://github.com/opencontainers/runc/security/a…	x_refsource_CONFIRM
https://github.com/opencontainers/runc/security/a…	x_refsource_MISC
https://github.com/opencontainers/runc/security/a…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/ff9…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/ff6…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/ed6…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/db1…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/d61…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/d40…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/b3d…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/77d…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/778…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/6fc…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/4b3…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/44a…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/435…	x_refsource_MISC
https://github.com/opencontainers/runc/commit/3f9…	x_refsource_MISC
https://github.com/opencontainers/runc/blob/v1.4.…	x_refsource_MISC
http://github.com/opencontainers/runc/commit/a413…	x_refsource_MISC
http://github.com/opencontainers/runc/commit/fdcc…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
opencontainers	runc	Affected: <= 1.2.7, < 1.2.8 Affected: <= 1.3.2, < 1.3.3 Affected: <= 1.4.0-rc.2, < 1.4.0-rc.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-52881",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-06T21:06:59.235416Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-06T21:07:09.382Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "runc",
          "vendor": "opencontainers",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.2.7, \u003c 1.2.8"
            },
            {
              "status": "affected",
              "version": "\u003c= 1.3.2, \u003c 1.3.3"
            },
            {
              "status": "affected",
              "version": "\u003c= 1.4.0-rc.2, \u003c 1.4.0-rc.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-363",
              "description": "CWE-363: Race Condition Enabling Link Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-06T20:23:36.237Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
        },
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
        },
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557"
        },
        {
          "name": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md"
        },
        {
          "name": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322"
        },
        {
          "name": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3"
        }
      ],
      "source": {
        "advisory": "GHSA-cgrx-mc8f-2prm",
        "discovery": "UNKNOWN"
      },
      "title": "runc: LSM labels can be bypassed with malicious config using dummy procfs files"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-52881",
    "datePublished": "2025-11-06T20:23:36.237Z",
    "dateReserved": "2025-06-20T17:42:25.708Z",
    "dateUpdated": "2025-11-06T21:07:09.382Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-52881",
      "date": "2026-06-06",
      "epss": "0.00016",
      "percentile": "0.03683"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-52881\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-06T21:15:42.817\",\"lastModified\":\"2025-12-03T18:37:17.917\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-61\"},{\"lang\":\"en\",\"value\":\"CWE-363\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.8\",\"matchCriteriaId\":\"889E52A1-D7B0-4DC8-BD63-9413A1DD9EEB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.3.0\",\"versionEndExcluding\":\"1.3.3\",\"matchCriteriaId\":\"F3193A96-E882-439B-984E-782315C62F69\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:runc:1.4.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"082E3496-822B-481B-AC2F-DA8DCAFC28FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:runc:1.4.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"71C62E90-6357-44A4-B582-28B1F1D9B16D\"}]}]}],\"references\":[{\"url\":\"http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-52881\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-06T21:06:59.235416Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-06T21:07:04.283Z\"}}], \"cna\": {\"title\": \"runc: LSM labels can be bypassed with malicious config using dummy procfs files\", \"source\": {\"advisory\": \"GHSA-cgrx-mc8f-2prm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"opencontainers\", \"product\": \"runc\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 1.2.7, \u003c 1.2.8\"}, {\"status\": \"affected\", \"version\": \"\u003c= 1.3.2, \u003c 1.3.3\"}, {\"status\": \"affected\", \"version\": \"\u003c= 1.4.0-rc.2, \u003c 1.4.0-rc.3\"}]}], \"references\": [{\"url\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\", \"name\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r\", \"name\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2\", \"name\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480\", \"name\": \"https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51\", \"name\": \"https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1\", \"name\": \"https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64\", \"name\": \"https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165\", \"name\": \"https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2\", \"name\": \"https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28\", \"name\": \"https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db\", \"name\": \"https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544\", \"name\": \"https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f\", \"name\": \"https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6\", \"name\": \"https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58\", \"name\": \"https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d\", \"name\": \"https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557\", \"name\": \"https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md\", \"name\": \"https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322\", \"name\": \"http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3\", \"name\": \"http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-61\", \"description\": \"CWE-61: UNIX Symbolic Link (Symlink) Following\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-363\", \"description\": \"CWE-363: Race Condition Enabling Link Following\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-06T20:23:36.237Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-52881\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-06T21:07:09.382Z\", \"dateReserved\": \"2025-06-20T17:42:25.708Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-06T20:23:36.237Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

SUSE-SU-2025:21072-1

Vulnerability from csaf_suse - Published: 2025-11-20 16:43 - Updated: 2025-11-20 16:43

Summary

Security update for runc

Severity

Important

Notes

Title of the patch: Security update for runc

Description of the patch: This update for runc fixes the following issues: - Update to runc v1.3.3: * CVE-2025-31133, CVE-2025-52565, CVE-2025-52881: Fixed container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files (bsc#1252232)

Patchnames: SUSE-SL-Micro-6.2-46

CVE-2025-31133

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52565

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52881

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.x86_64	—	Vendor Fix

Threats

Impact important

References

18 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1252110	self
https://bugzilla.suse.com/1252232	self
https://www.suse.com/security/cve/CVE-2025-31133/	self
https://www.suse.com/security/cve/CVE-2025-52565/	self
https://www.suse.com/security/cve/CVE-2025-52881/	self
https://www.suse.com/security/cve/CVE-2025-31133	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52565	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52881	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for runc",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for runc fixes the following issues:\n\n- Update to runc v1.3.3:\n  * CVE-2025-31133, CVE-2025-52565, CVE-2025-52881: Fixed container breakouts by bypassing\n    runc\u0027s restrictions for writing to arbitrary /proc files (bsc#1252232)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SL-Micro-6.2-46",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_21072-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:21072-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521072-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:21072-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023432.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252110",
        "url": "https://bugzilla.suse.com/1252110"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252232",
        "url": "https://bugzilla.suse.com/1252232"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-31133 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-31133/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52565 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52565/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52881 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52881/"
      }
    ],
    "title": "Security update for runc",
    "tracking": {
      "current_release_date": "2025-11-20T16:43:58Z",
      "generator": {
        "date": "2025-11-20T16:43:58Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:21072-1",
      "initial_release_date": "2025-11-20T16:43:58Z",
      "revision_history": [
        {
          "date": "2025-11-20T16:43:58Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-160000.1.1.aarch64",
                "product": {
                  "name": "runc-1.3.3-160000.1.1.aarch64",
                  "product_id": "runc-1.3.3-160000.1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-160000.1.1.ppc64le",
                "product": {
                  "name": "runc-1.3.3-160000.1.1.ppc64le",
                  "product_id": "runc-1.3.3-160000.1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-160000.1.1.s390x",
                "product": {
                  "name": "runc-1.3.3-160000.1.1.s390x",
                  "product_id": "runc-1.3.3-160000.1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-160000.1.1.x86_64",
                "product": {
                  "name": "runc-1.3.3-160000.1.1.x86_64",
                  "product_id": "runc-1.3.3-160000.1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Micro 6.2",
                "product": {
                  "name": "SUSE Linux Micro 6.2",
                  "product_id": "SUSE Linux Micro 6.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16:16.0:transactional"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-160000.1.1.aarch64 as component of SUSE Linux Micro 6.2",
          "product_id": "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.aarch64"
        },
        "product_reference": "runc-1.3.3-160000.1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Micro 6.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-160000.1.1.ppc64le as component of SUSE Linux Micro 6.2",
          "product_id": "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-160000.1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Micro 6.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-160000.1.1.s390x as component of SUSE Linux Micro 6.2",
          "product_id": "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.s390x"
        },
        "product_reference": "runc-1.3.3-160000.1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Micro 6.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-160000.1.1.x86_64 as component of SUSE Linux Micro 6.2",
          "product_id": "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.x86_64"
        },
        "product_reference": "runc-1.3.3-160000.1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Micro 6.2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-31133",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-31133"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.aarch64",
          "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.ppc64le",
          "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.s390x",
          "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-31133",
          "url": "https://www.suse.com/security/cve/CVE-2025-31133"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-20T16:43:58Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-31133"
    },
    {
      "cve": "CVE-2025-52565",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52565"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.aarch64",
          "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.ppc64le",
          "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.s390x",
          "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52565",
          "url": "https://www.suse.com/security/cve/CVE-2025-52565"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-20T16:43:58Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52565"
    },
    {
      "cve": "CVE-2025-52881",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52881"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.aarch64",
          "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.ppc64le",
          "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.s390x",
          "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52881",
          "url": "https://www.suse.com/security/cve/CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Micro 6.2:runc-1.3.3-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-20T16:43:58Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52881"
    }
  ]
}

SUSE-SU-2025:21136-1

Vulnerability from csaf_suse - Published: 2025-11-20 16:43 - Updated: 2025-11-20 16:43

Summary

Security update for runc

Severity

Important

Notes

Title of the patch: Security update for runc

Patchnames: SUSE-SLES-16.0-46

CVE-2025-31133

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52565

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52881

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.x86_64	—	Vendor Fix

Threats

Impact important

References

18 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1252110	self
https://bugzilla.suse.com/1252232	self
https://www.suse.com/security/cve/CVE-2025-31133/	self
https://www.suse.com/security/cve/CVE-2025-52565/	self
https://www.suse.com/security/cve/CVE-2025-52881/	self
https://www.suse.com/security/cve/CVE-2025-31133	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52565	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52881	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for runc",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for runc fixes the following issues:\n\n- Update to runc v1.3.3:\n  * CVE-2025-31133, CVE-2025-52565, CVE-2025-52881: Fixed container breakouts by bypassing\n    runc\u0027s restrictions for writing to arbitrary /proc files (bsc#1252232)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLES-16.0-46",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_21136-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:21136-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521136-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:21136-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023516.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252110",
        "url": "https://bugzilla.suse.com/1252110"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252232",
        "url": "https://bugzilla.suse.com/1252232"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-31133 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-31133/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52565 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52565/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52881 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52881/"
      }
    ],
    "title": "Security update for runc",
    "tracking": {
      "current_release_date": "2025-11-20T16:43:58Z",
      "generator": {
        "date": "2025-11-20T16:43:58Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:21136-1",
      "initial_release_date": "2025-11-20T16:43:58Z",
      "revision_history": [
        {
          "date": "2025-11-20T16:43:58Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-160000.1.1.aarch64",
                "product": {
                  "name": "runc-1.3.3-160000.1.1.aarch64",
                  "product_id": "runc-1.3.3-160000.1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-160000.1.1.ppc64le",
                "product": {
                  "name": "runc-1.3.3-160000.1.1.ppc64le",
                  "product_id": "runc-1.3.3-160000.1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-160000.1.1.s390x",
                "product": {
                  "name": "runc-1.3.3-160000.1.1.s390x",
                  "product_id": "runc-1.3.3-160000.1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-160000.1.1.x86_64",
                "product": {
                  "name": "runc-1.3.3-160000.1.1.x86_64",
                  "product_id": "runc-1.3.3-160000.1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server 16.0",
                  "product_id": "SUSE Linux Enterprise Server 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.aarch64"
        },
        "product_reference": "runc-1.3.3-160000.1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-160000.1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.s390x"
        },
        "product_reference": "runc-1.3.3-160000.1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.x86_64"
        },
        "product_reference": "runc-1.3.3-160000.1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.aarch64"
        },
        "product_reference": "runc-1.3.3-160000.1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-160000.1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.s390x"
        },
        "product_reference": "runc-1.3.3-160000.1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.x86_64"
        },
        "product_reference": "runc-1.3.3-160000.1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-31133",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-31133"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.s390x",
          "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.s390x",
          "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-31133",
          "url": "https://www.suse.com/security/cve/CVE-2025-31133"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-20T16:43:58Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-31133"
    },
    {
      "cve": "CVE-2025-52565",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52565"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.s390x",
          "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.s390x",
          "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52565",
          "url": "https://www.suse.com/security/cve/CVE-2025-52565"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-20T16:43:58Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52565"
    },
    {
      "cve": "CVE-2025-52881",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52881"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.s390x",
          "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.s390x",
          "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52881",
          "url": "https://www.suse.com/security/cve/CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:runc-1.3.3-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:runc-1.3.3-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-20T16:43:58Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52881"
    }
  ]
}

SUSE-SU-2025:3950-1

Vulnerability from csaf_suse - Published: 2025-11-05 10:22 - Updated: 2025-11-05 10:22

Summary

Security update for runc

Severity

Important

Notes

Title of the patch: Security update for runc

Description of the patch: This update for runc fixes the following issues: - CVE-2025-31133: Fixed container escape via 'masked path' abuse due to mount race conditions (bsc#1252232). - CVE-2025-52565: Fixed container escape with malicious config due to /dev/console mount and related races (bsc#1252232). - CVE-2025-52881: Fixed container escape and denial of service due to arbitrary write gadgets and procfs write redirects (bsc#1252232). Update to runc v1.2.7. - Upstream changelog is available from <https://github.com/opencontainers/runc/releases/tag/v1.2.7>

Patchnames: SUSE-2025-3950,SUSE-SLE-Micro-5.3-2025-3950,SUSE-SLE-Micro-5.4-2025-3950,SUSE-SLE-Micro-5.5-2025-3950,SUSE-SLE-Module-Basesystem-15-SP7-2025-3950,SUSE-SLE-Module-Containers-15-SP6-2025-3950,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-3950,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-3950,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-3950,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-3950,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-3950,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-3950,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-3950,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-3950,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-3950,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-3950,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-3950,SUSE-SUSE-MicroOS-5.2-2025-3950,SUSE-Storage-7.1-2025-3950,openSUSE-SLE-15.6-2025-3950

CVE-2025-31133

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 55 products

Product	Version	Remediation
Unresolved product id: SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52565

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 55 products

Product	Version	Remediation
Unresolved product id: SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52881

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 55 products

Product	Version	Remediation
Unresolved product id: SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.2.7-150000.80.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.2.7-150000.80.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.2.7-150000.80.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.2.7-150000.80.1.x86_64	—	Vendor Fix

Threats

Impact important

References

17 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1252232	self
https://www.suse.com/security/cve/CVE-2025-31133/	self
https://www.suse.com/security/cve/CVE-2025-52565/	self
https://www.suse.com/security/cve/CVE-2025-52881/	self
https://www.suse.com/security/cve/CVE-2025-31133	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52565	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52881	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for runc",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for runc fixes the following issues:\n\n- CVE-2025-31133: Fixed container escape via \u0027masked path\u0027 abuse due to mount race conditions (bsc#1252232).\n- CVE-2025-52565: Fixed container escape with malicious config due to /dev/console mount and related races (bsc#1252232).\n- CVE-2025-52881: Fixed container escape and denial of service due to arbitrary write gadgets and procfs write redirects (bsc#1252232).\n\nUpdate to runc v1.2.7. \n\n- Upstream changelog is available from \u003chttps://github.com/opencontainers/runc/releases/tag/v1.2.7\u003e\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-3950,SUSE-SLE-Micro-5.3-2025-3950,SUSE-SLE-Micro-5.4-2025-3950,SUSE-SLE-Micro-5.5-2025-3950,SUSE-SLE-Module-Basesystem-15-SP7-2025-3950,SUSE-SLE-Module-Containers-15-SP6-2025-3950,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-3950,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-3950,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-3950,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-3950,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-3950,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-3950,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-3950,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-3950,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-3950,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-3950,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-3950,SUSE-SUSE-MicroOS-5.2-2025-3950,SUSE-Storage-7.1-2025-3950,openSUSE-SLE-15.6-2025-3950",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_3950-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:3950-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-20253950-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:3950-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023152.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252232",
        "url": "https://bugzilla.suse.com/1252232"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-31133 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-31133/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52565 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52565/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52881 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52881/"
      }
    ],
    "title": "Security update for runc",
    "tracking": {
      "current_release_date": "2025-11-05T10:22:48Z",
      "generator": {
        "date": "2025-11-05T10:22:48Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:3950-1",
      "initial_release_date": "2025-11-05T10:22:48Z",
      "revision_history": [
        {
          "date": "2025-11-05T10:22:48Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.2.7-150000.80.1.aarch64",
                "product": {
                  "name": "runc-1.2.7-150000.80.1.aarch64",
                  "product_id": "runc-1.2.7-150000.80.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.2.7-150000.80.1.i586",
                "product": {
                  "name": "runc-1.2.7-150000.80.1.i586",
                  "product_id": "runc-1.2.7-150000.80.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.2.7-150000.80.1.ppc64le",
                "product": {
                  "name": "runc-1.2.7-150000.80.1.ppc64le",
                  "product_id": "runc-1.2.7-150000.80.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.2.7-150000.80.1.s390x",
                "product": {
                  "name": "runc-1.2.7-150000.80.1.s390x",
                  "product_id": "runc-1.2.7-150000.80.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.2.7-150000.80.1.x86_64",
                "product": {
                  "name": "runc-1.2.7-150000.80.1.x86_64",
                  "product_id": "runc-1.2.7-150000.80.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Micro 5.3",
                "product": {
                  "name": "SUSE Linux Enterprise Micro 5.3",
                  "product_id": "SUSE Linux Enterprise Micro 5.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-micro:5.3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Micro 5.4",
                "product": {
                  "name": "SUSE Linux Enterprise Micro 5.4",
                  "product_id": "SUSE Linux Enterprise Micro 5.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-micro:5.4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Micro 5.5",
                "product": {
                  "name": "SUSE Linux Enterprise Micro 5.5",
                  "product_id": "SUSE Linux Enterprise Micro 5.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-micro:5.5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                  "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Containers 15 SP6",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Containers 15 SP6",
                  "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-containers:15:sp6"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Micro 5.2",
                "product": {
                  "name": "SUSE Linux Enterprise Micro 5.2",
                  "product_id": "SUSE Linux Enterprise Micro 5.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-microos:5.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Enterprise Storage 7.1",
                "product": {
                  "name": "SUSE Enterprise Storage 7.1",
                  "product_id": "SUSE Enterprise Storage 7.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:ses:7.1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.s390x as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.s390x"
        },
        "product_reference": "runc-1.2.7-150000.80.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise Micro 5.4",
          "product_id": "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.s390x as component of SUSE Linux Enterprise Micro 5.4",
          "product_id": "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.s390x"
        },
        "product_reference": "runc-1.2.7-150000.80.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise Micro 5.4",
          "product_id": "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise Micro 5.5",
          "product_id": "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.ppc64le as component of SUSE Linux Enterprise Micro 5.5",
          "product_id": "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.ppc64le"
        },
        "product_reference": "runc-1.2.7-150000.80.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.s390x as component of SUSE Linux Enterprise Micro 5.5",
          "product_id": "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.s390x"
        },
        "product_reference": "runc-1.2.7-150000.80.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise Micro 5.5",
          "product_id": "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.ppc64le"
        },
        "product_reference": "runc-1.2.7-150000.80.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.s390x"
        },
        "product_reference": "runc-1.2.7-150000.80.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.ppc64le as component of SUSE Linux Enterprise Module for Containers 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.ppc64le"
        },
        "product_reference": "runc-1.2.7-150000.80.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.s390x as component of SUSE Linux Enterprise Module for Containers 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.s390x"
        },
        "product_reference": "runc-1.2.7-150000.80.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.ppc64le"
        },
        "product_reference": "runc-1.2.7-150000.80.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.s390x as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.s390x"
        },
        "product_reference": "runc-1.2.7-150000.80.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.ppc64le"
        },
        "product_reference": "runc-1.2.7-150000.80.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.s390x as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.s390x"
        },
        "product_reference": "runc-1.2.7-150000.80.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.ppc64le"
        },
        "product_reference": "runc-1.2.7-150000.80.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.s390x as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.s390x"
        },
        "product_reference": "runc-1.2.7-150000.80.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.ppc64le"
        },
        "product_reference": "runc-1.2.7-150000.80.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.ppc64le"
        },
        "product_reference": "runc-1.2.7-150000.80.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.ppc64le"
        },
        "product_reference": "runc-1.2.7-150000.80.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Linux Enterprise Micro 5.2",
          "product_id": "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.s390x as component of SUSE Linux Enterprise Micro 5.2",
          "product_id": "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.s390x"
        },
        "product_reference": "runc-1.2.7-150000.80.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Linux Enterprise Micro 5.2",
          "product_id": "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of SUSE Enterprise Storage 7.1",
          "product_id": "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "SUSE Enterprise Storage 7.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of SUSE Enterprise Storage 7.1",
          "product_id": "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "SUSE Enterprise Storage 7.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.aarch64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.aarch64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.ppc64le as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.ppc64le"
        },
        "product_reference": "runc-1.2.7-150000.80.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.s390x as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.s390x"
        },
        "product_reference": "runc-1.2.7-150000.80.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-150000.80.1.x86_64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.x86_64"
        },
        "product_reference": "runc-1.2.7-150000.80.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-31133",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-31133"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.x86_64",
          "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.aarch64",
          "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.ppc64le",
          "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.s390x",
          "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-31133",
          "url": "https://www.suse.com/security/cve/CVE-2025-31133"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.x86_64",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.aarch64",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.ppc64le",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.s390x",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.x86_64",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.aarch64",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.ppc64le",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.s390x",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-05T10:22:48Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-31133"
    },
    {
      "cve": "CVE-2025-52565",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52565"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.x86_64",
          "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.aarch64",
          "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.ppc64le",
          "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.s390x",
          "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52565",
          "url": "https://www.suse.com/security/cve/CVE-2025-52565"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.x86_64",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.aarch64",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.ppc64le",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.s390x",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.x86_64",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.aarch64",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.ppc64le",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.s390x",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-05T10:22:48Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52565"
    },
    {
      "cve": "CVE-2025-52881",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52881"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.s390x",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.x86_64",
          "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.aarch64",
          "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.ppc64le",
          "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.s390x",
          "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52881",
          "url": "https://www.suse.com/security/cve/CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.x86_64",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.aarch64",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.ppc64le",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.s390x",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Enterprise Storage 7.1:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.4:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Micro 5.5:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.2.7-150000.80.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.2.7-150000.80.1.x86_64",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.aarch64",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.ppc64le",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.s390x",
            "openSUSE Leap 15.6:runc-1.2.7-150000.80.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-05T10:22:48Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52881"
    }
  ]
}

SUSE-SU-2025:3951-1

Vulnerability from csaf_suse - Published: 2025-11-05 10:23 - Updated: 2025-11-05 10:23

Summary

Security update for runc

Severity

Important

Notes

Title of the patch: Security update for runc

Patchnames: SUSE-2025-3951,SUSE-SLE-SERVER-12-SP5-LTSS-2025-3951,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-3951

CVE-2025-31133

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 5 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.2.7-16.67.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52565

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 5 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.2.7-16.67.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52881

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 5 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.2.7-16.67.1.x86_64	—	Vendor Fix

Threats

Impact important

References

17 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1252232	self
https://www.suse.com/security/cve/CVE-2025-31133/	self
https://www.suse.com/security/cve/CVE-2025-52565/	self
https://www.suse.com/security/cve/CVE-2025-52881/	self
https://www.suse.com/security/cve/CVE-2025-31133	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52565	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52881	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for runc",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for runc fixes the following issues:\n\n- CVE-2025-31133: Fixed container escape via \u0027masked path\u0027 abuse due to mount race conditions (bsc#1252232).\n- CVE-2025-52565: Fixed container escape with malicious config due to /dev/console mount and related races (bsc#1252232).\n- CVE-2025-52881: Fixed container escape and denial of service due to arbitrary write gadgets and procfs write redirects (bsc#1252232).\n\nUpdate to runc v1.2.7. \n\n- Upstream changelog is available from \u003chttps://github.com/opencontainers/runc/releases/tag/v1.2.7\u003e\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-3951,SUSE-SLE-SERVER-12-SP5-LTSS-2025-3951,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-3951",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_3951-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:3951-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-20253951-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:3951-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023151.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252232",
        "url": "https://bugzilla.suse.com/1252232"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-31133 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-31133/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52565 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52565/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52881 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52881/"
      }
    ],
    "title": "Security update for runc",
    "tracking": {
      "current_release_date": "2025-11-05T10:23:31Z",
      "generator": {
        "date": "2025-11-05T10:23:31Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:3951-1",
      "initial_release_date": "2025-11-05T10:23:31Z",
      "revision_history": [
        {
          "date": "2025-11-05T10:23:31Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.2.7-16.67.1.aarch64",
                "product": {
                  "name": "runc-1.2.7-16.67.1.aarch64",
                  "product_id": "runc-1.2.7-16.67.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.2.7-16.67.1.i586",
                "product": {
                  "name": "runc-1.2.7-16.67.1.i586",
                  "product_id": "runc-1.2.7-16.67.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.2.7-16.67.1.ppc64le",
                "product": {
                  "name": "runc-1.2.7-16.67.1.ppc64le",
                  "product_id": "runc-1.2.7-16.67.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.2.7-16.67.1.s390x",
                "product": {
                  "name": "runc-1.2.7-16.67.1.s390x",
                  "product_id": "runc-1.2.7-16.67.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.2.7-16.67.1.x86_64",
                "product": {
                  "name": "runc-1.2.7-16.67.1.x86_64",
                  "product_id": "runc-1.2.7-16.67.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 12 SP5-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 12 SP5-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 12 SP5-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:12:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
                  "product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss-extended-security:12:sp5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-16.67.1.aarch64 as component of SUSE Linux Enterprise Server 12 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.aarch64"
        },
        "product_reference": "runc-1.2.7-16.67.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-16.67.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.ppc64le"
        },
        "product_reference": "runc-1.2.7-16.67.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-16.67.1.s390x as component of SUSE Linux Enterprise Server 12 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.s390x"
        },
        "product_reference": "runc-1.2.7-16.67.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-16.67.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.x86_64"
        },
        "product_reference": "runc-1.2.7-16.67.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.2.7-16.67.1.x86_64 as component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
          "product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.2.7-16.67.1.x86_64"
        },
        "product_reference": "runc-1.2.7-16.67.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-31133",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-31133"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.aarch64",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.s390x",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.x86_64",
          "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.2.7-16.67.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-31133",
          "url": "https://www.suse.com/security/cve/CVE-2025-31133"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.x86_64",
            "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.2.7-16.67.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.x86_64",
            "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.2.7-16.67.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-05T10:23:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-31133"
    },
    {
      "cve": "CVE-2025-52565",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52565"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.aarch64",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.s390x",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.x86_64",
          "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.2.7-16.67.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52565",
          "url": "https://www.suse.com/security/cve/CVE-2025-52565"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.x86_64",
            "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.2.7-16.67.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.x86_64",
            "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.2.7-16.67.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-05T10:23:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52565"
    },
    {
      "cve": "CVE-2025-52881",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52881"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.aarch64",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.s390x",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.x86_64",
          "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.2.7-16.67.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52881",
          "url": "https://www.suse.com/security/cve/CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.x86_64",
            "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.2.7-16.67.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.2.7-16.67.1.x86_64",
            "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.2.7-16.67.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-05T10:23:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52881"
    }
  ]
}

SUSE-SU-2025:4073-1

Vulnerability from csaf_suse - Published: 2025-11-12 10:34 - Updated: 2025-11-12 10:34

Summary

Security update for runc

Severity

Important

Notes

Title of the patch: Security update for runc

Description of the patch: This update for runc fixes the following issues: Update to runc v1.3.3. Upstream changelog is available from <https://github.com/opencontainers/runc/releases/tag/v1.3.3>. bsc#1252232 * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 Update to runc v1.3.2. Upstream changelog is available from <https://github.com/opencontainers/runc/releases/tag/v1.3.2> bsc#1252110 - Includes an important fix for the CPUSet translation for cgroupv2. Update to runc v1.3.1. Upstream changelog is available from <https://github.com/opencontainers/runc/releases/tag/v1.3.1> Update to runc v1.3.0. Upstream changelog is available from <https://github.com/opencontainers/runc/releases/tag/v1.3.0>

Patchnames: SUSE-2025-4073,SUSE-SLE-Micro-5.3-2025-4073,SUSE-SLE-Micro-5.4-2025-4073,SUSE-SLE-Micro-5.5-2025-4073,SUSE-SLE-Module-Basesystem-15-SP7-2025-4073,SUSE-SLE-Module-Containers-15-SP6-2025-4073,SUSE-SUSE-MicroOS-5.2-2025-4073,SUSE-Storage-7.1-2025-4073,openSUSE-SLE-15.6-2025-4073

CVE-2025-31133

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 27 products

Product	Version	Remediation
Unresolved product id: SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52565

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 27 products

Product	Version	Remediation
Unresolved product id: SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52881

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 27 products

Product	Version	Remediation
Unresolved product id: SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix

Threats

Impact important

References

18 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1252110	self
https://bugzilla.suse.com/1252232	self
https://www.suse.com/security/cve/CVE-2025-31133/	self
https://www.suse.com/security/cve/CVE-2025-52565/	self
https://www.suse.com/security/cve/CVE-2025-52881/	self
https://www.suse.com/security/cve/CVE-2025-31133	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52565	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52881	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for runc",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for runc fixes the following issues:\n\nUpdate to runc v1.3.3. Upstream changelog is available from\n\n  \u003chttps://github.com/opencontainers/runc/releases/tag/v1.3.3\u003e. bsc#1252232\n\n  * CVE-2025-31133\n  * CVE-2025-52565\n  * CVE-2025-52881\n\nUpdate to runc v1.3.2. Upstream changelog is available from\n\n\u003chttps://github.com/opencontainers/runc/releases/tag/v1.3.2\u003e bsc#1252110\n\n  - Includes an important fix for the CPUSet translation for cgroupv2.\n\nUpdate to runc v1.3.1. Upstream changelog is available from\n\n\u003chttps://github.com/opencontainers/runc/releases/tag/v1.3.1\u003e\n\nUpdate to runc v1.3.0. Upstream changelog is available from\n\n\u003chttps://github.com/opencontainers/runc/releases/tag/v1.3.0\u003e",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-4073,SUSE-SLE-Micro-5.3-2025-4073,SUSE-SLE-Micro-5.4-2025-4073,SUSE-SLE-Micro-5.5-2025-4073,SUSE-SLE-Module-Basesystem-15-SP7-2025-4073,SUSE-SLE-Module-Containers-15-SP6-2025-4073,SUSE-SUSE-MicroOS-5.2-2025-4073,SUSE-Storage-7.1-2025-4073,openSUSE-SLE-15.6-2025-4073",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4073-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:4073-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254073-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:4073-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023265.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252110",
        "url": "https://bugzilla.suse.com/1252110"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252232",
        "url": "https://bugzilla.suse.com/1252232"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-31133 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-31133/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52565 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52565/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52881 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52881/"
      }
    ],
    "title": "Security update for runc",
    "tracking": {
      "current_release_date": "2025-11-12T10:34:42Z",
      "generator": {
        "date": "2025-11-12T10:34:42Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:4073-1",
      "initial_release_date": "2025-11-12T10:34:42Z",
      "revision_history": [
        {
          "date": "2025-11-12T10:34:42Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-150000.85.1.aarch64",
                "product": {
                  "name": "runc-1.3.3-150000.85.1.aarch64",
                  "product_id": "runc-1.3.3-150000.85.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-150000.85.1.i586",
                "product": {
                  "name": "runc-1.3.3-150000.85.1.i586",
                  "product_id": "runc-1.3.3-150000.85.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-150000.85.1.ppc64le",
                "product": {
                  "name": "runc-1.3.3-150000.85.1.ppc64le",
                  "product_id": "runc-1.3.3-150000.85.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-150000.85.1.s390x",
                "product": {
                  "name": "runc-1.3.3-150000.85.1.s390x",
                  "product_id": "runc-1.3.3-150000.85.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-150000.85.1.x86_64",
                "product": {
                  "name": "runc-1.3.3-150000.85.1.x86_64",
                  "product_id": "runc-1.3.3-150000.85.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Micro 5.3",
                "product": {
                  "name": "SUSE Linux Enterprise Micro 5.3",
                  "product_id": "SUSE Linux Enterprise Micro 5.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-micro:5.3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Micro 5.4",
                "product": {
                  "name": "SUSE Linux Enterprise Micro 5.4",
                  "product_id": "SUSE Linux Enterprise Micro 5.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-micro:5.4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Micro 5.5",
                "product": {
                  "name": "SUSE Linux Enterprise Micro 5.5",
                  "product_id": "SUSE Linux Enterprise Micro 5.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-micro:5.5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                  "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Containers 15 SP6",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Containers 15 SP6",
                  "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-containers:15:sp6"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Micro 5.2",
                "product": {
                  "name": "SUSE Linux Enterprise Micro 5.2",
                  "product_id": "SUSE Linux Enterprise Micro 5.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-microos:5.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Enterprise Storage 7.1",
                "product": {
                  "name": "SUSE Enterprise Storage 7.1",
                  "product_id": "SUSE Enterprise Storage 7.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:ses:7.1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.s390x as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.s390x"
        },
        "product_reference": "runc-1.3.3-150000.85.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise Micro 5.4",
          "product_id": "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.s390x as component of SUSE Linux Enterprise Micro 5.4",
          "product_id": "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.s390x"
        },
        "product_reference": "runc-1.3.3-150000.85.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise Micro 5.4",
          "product_id": "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise Micro 5.5",
          "product_id": "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.ppc64le as component of SUSE Linux Enterprise Micro 5.5",
          "product_id": "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-150000.85.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.s390x as component of SUSE Linux Enterprise Micro 5.5",
          "product_id": "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.s390x"
        },
        "product_reference": "runc-1.3.3-150000.85.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise Micro 5.5",
          "product_id": "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-150000.85.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.s390x"
        },
        "product_reference": "runc-1.3.3-150000.85.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.ppc64le as component of SUSE Linux Enterprise Module for Containers 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-150000.85.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.s390x as component of SUSE Linux Enterprise Module for Containers 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.s390x"
        },
        "product_reference": "runc-1.3.3-150000.85.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise Micro 5.2",
          "product_id": "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.s390x as component of SUSE Linux Enterprise Micro 5.2",
          "product_id": "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.s390x"
        },
        "product_reference": "runc-1.3.3-150000.85.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise Micro 5.2",
          "product_id": "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Enterprise Storage 7.1",
          "product_id": "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Enterprise Storage 7.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Enterprise Storage 7.1",
          "product_id": "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Enterprise Storage 7.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.ppc64le as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-150000.85.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.s390x as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.s390x"
        },
        "product_reference": "runc-1.3.3-150000.85.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-31133",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-31133"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.x86_64",
          "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.aarch64",
          "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.ppc64le",
          "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.s390x",
          "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-31133",
          "url": "https://www.suse.com/security/cve/CVE-2025-31133"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.x86_64",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.aarch64",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.ppc64le",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.s390x",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.x86_64",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.aarch64",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.ppc64le",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.s390x",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-12T10:34:42Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-31133"
    },
    {
      "cve": "CVE-2025-52565",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52565"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.x86_64",
          "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.aarch64",
          "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.ppc64le",
          "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.s390x",
          "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52565",
          "url": "https://www.suse.com/security/cve/CVE-2025-52565"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.x86_64",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.aarch64",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.ppc64le",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.s390x",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.x86_64",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.aarch64",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.ppc64le",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.s390x",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-12T10:34:42Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52565"
    },
    {
      "cve": "CVE-2025-52881",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52881"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.x86_64",
          "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.aarch64",
          "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.ppc64le",
          "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.s390x",
          "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52881",
          "url": "https://www.suse.com/security/cve/CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.x86_64",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.aarch64",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.ppc64le",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.s390x",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Enterprise Storage 7.1:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.4:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Micro 5.5:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:runc-1.3.3-150000.85.1.x86_64",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.aarch64",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.ppc64le",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.s390x",
            "openSUSE Leap 15.6:runc-1.3.3-150000.85.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-12T10:34:42Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52881"
    }
  ]
}

SUSE-SU-2025:4073-2

Vulnerability from csaf_suse - Published: 2025-11-24 02:49 - Updated: 2025-11-24 02:49

Summary

Security update for runc

Severity

Important

Notes

Title of the patch: Security update for runc

Patchnames: SUSE-2025-4073,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-4073,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-4073,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-4073,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-4073,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-4073,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-4073,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-4073,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-4073,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-4073,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-4073,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-4073

CVE-2025-31133

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 28 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52565

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 28 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52881

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 28 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.x86_64	—	Vendor Fix

Threats

Impact important

References

18 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1252110	self
https://bugzilla.suse.com/1252232	self
https://www.suse.com/security/cve/CVE-2025-31133/	self
https://www.suse.com/security/cve/CVE-2025-52565/	self
https://www.suse.com/security/cve/CVE-2025-52881/	self
https://www.suse.com/security/cve/CVE-2025-31133	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52565	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52881	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for runc",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for runc fixes the following issues:\n\nUpdate to runc v1.3.3. Upstream changelog is available from\n\n  \u003chttps://github.com/opencontainers/runc/releases/tag/v1.3.3\u003e. bsc#1252232\n\n  * CVE-2025-31133\n  * CVE-2025-52565\n  * CVE-2025-52881\n\nUpdate to runc v1.3.2. Upstream changelog is available from\n\n\u003chttps://github.com/opencontainers/runc/releases/tag/v1.3.2\u003e bsc#1252110\n\n  - Includes an important fix for the CPUSet translation for cgroupv2.\n\nUpdate to runc v1.3.1. Upstream changelog is available from\n\n\u003chttps://github.com/opencontainers/runc/releases/tag/v1.3.1\u003e\n\nUpdate to runc v1.3.0. Upstream changelog is available from\n\n\u003chttps://github.com/opencontainers/runc/releases/tag/v1.3.0\u003e",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-4073,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-4073,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-4073,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-4073,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-4073,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-4073,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-4073,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-4073,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-4073,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-4073,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-4073,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-4073",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4073-2.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:4073-2",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254073-2/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:4073-2",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023325.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252110",
        "url": "https://bugzilla.suse.com/1252110"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252232",
        "url": "https://bugzilla.suse.com/1252232"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-31133 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-31133/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52565 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52565/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52881 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52881/"
      }
    ],
    "title": "Security update for runc",
    "tracking": {
      "current_release_date": "2025-11-24T02:49:00Z",
      "generator": {
        "date": "2025-11-24T02:49:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:4073-2",
      "initial_release_date": "2025-11-24T02:49:00Z",
      "revision_history": [
        {
          "date": "2025-11-24T02:49:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-150000.85.1.aarch64",
                "product": {
                  "name": "runc-1.3.3-150000.85.1.aarch64",
                  "product_id": "runc-1.3.3-150000.85.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-150000.85.1.i586",
                "product": {
                  "name": "runc-1.3.3-150000.85.1.i586",
                  "product_id": "runc-1.3.3-150000.85.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-150000.85.1.ppc64le",
                "product": {
                  "name": "runc-1.3.3-150000.85.1.ppc64le",
                  "product_id": "runc-1.3.3-150000.85.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-150000.85.1.s390x",
                "product": {
                  "name": "runc-1.3.3-150000.85.1.s390x",
                  "product_id": "runc-1.3.3-150000.85.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-150000.85.1.x86_64",
                "product": {
                  "name": "runc-1.3.3-150000.85.1.x86_64",
                  "product_id": "runc-1.3.3-150000.85.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-150000.85.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.s390x as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.s390x"
        },
        "product_reference": "runc-1.3.3-150000.85.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-150000.85.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.s390x as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.s390x"
        },
        "product_reference": "runc-1.3.3-150000.85.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-150000.85.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.s390x as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.s390x"
        },
        "product_reference": "runc-1.3.3-150000.85.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-150000.85.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-150000.85.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-150000.85.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-150000.85.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.x86_64"
        },
        "product_reference": "runc-1.3.3-150000.85.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-31133",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-31133"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-31133",
          "url": "https://www.suse.com/security/cve/CVE-2025-31133"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-24T02:49:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-31133"
    },
    {
      "cve": "CVE-2025-52565",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52565"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52565",
          "url": "https://www.suse.com/security/cve/CVE-2025-52565"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-24T02:49:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52565"
    },
    {
      "cve": "CVE-2025-52881",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52881"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.s390x",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52881",
          "url": "https://www.suse.com/security/cve/CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:runc-1.3.3-150000.85.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:runc-1.3.3-150000.85.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-24T02:49:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52881"
    }
  ]
}

SUSE-SU-2025:4074-1

Vulnerability from csaf_suse - Published: 2025-11-12 10:35 - Updated: 2025-11-12 10:35

Summary

Security update for buildah

Severity

Important

Notes

Title of the patch: Security update for buildah

Description of the patch: This update for buildah fixes the following issues: - CVE-2025-52881: Fixed container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files (bsc#1253096) Other fixes: - podman and buildah with runc 1.3.2 fail with lots of warnings as rootless (bsc#1252543)

Patchnames: SUSE-2025-4074,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-4074,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-4074,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-4074,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-4074

CVE-2025-52881

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 10 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.53.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.53.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.53.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.53.1.x86_64	—	Vendor Fix

Threats

Impact important

References

10 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1252543	self
https://bugzilla.suse.com/1253096	self
https://www.suse.com/security/cve/CVE-2025-52881/	self
https://www.suse.com/security/cve/CVE-2025-52881	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for buildah",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for buildah fixes the following issues:\n\n- CVE-2025-52881: Fixed container breakouts by bypassing runc\u0027s restrictions for writing to arbitrary /proc files (bsc#1253096)\n\nOther fixes:\n  \n- podman and buildah with runc 1.3.2 fail with lots of warnings as rootless (bsc#1252543)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-4074,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-4074,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-4074,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-4074,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-4074",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4074-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:4074-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254074-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:4074-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023264.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252543",
        "url": "https://bugzilla.suse.com/1252543"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1253096",
        "url": "https://bugzilla.suse.com/1253096"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52881 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52881/"
      }
    ],
    "title": "Security update for buildah",
    "tracking": {
      "current_release_date": "2025-11-12T10:35:09Z",
      "generator": {
        "date": "2025-11-12T10:35:09Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:4074-1",
      "initial_release_date": "2025-11-12T10:35:09Z",
      "revision_history": [
        {
          "date": "2025-11-12T10:35:09Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150400.3.53.1.aarch64",
                "product": {
                  "name": "buildah-1.35.5-150400.3.53.1.aarch64",
                  "product_id": "buildah-1.35.5-150400.3.53.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150400.3.53.1.i586",
                "product": {
                  "name": "buildah-1.35.5-150400.3.53.1.i586",
                  "product_id": "buildah-1.35.5-150400.3.53.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150400.3.53.1.ppc64le",
                "product": {
                  "name": "buildah-1.35.5-150400.3.53.1.ppc64le",
                  "product_id": "buildah-1.35.5-150400.3.53.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150400.3.53.1.s390x",
                "product": {
                  "name": "buildah-1.35.5-150400.3.53.1.s390x",
                  "product_id": "buildah-1.35.5-150400.3.53.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150400.3.53.1.x86_64",
                "product": {
                  "name": "buildah-1.35.5-150400.3.53.1.x86_64",
                  "product_id": "buildah-1.35.5-150400.3.53.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150400.3.53.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.53.1.aarch64"
        },
        "product_reference": "buildah-1.35.5-150400.3.53.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150400.3.53.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.53.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150400.3.53.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150400.3.53.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.aarch64"
        },
        "product_reference": "buildah-1.35.5-150400.3.53.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150400.3.53.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150400.3.53.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150400.3.53.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.aarch64"
        },
        "product_reference": "buildah-1.35.5-150400.3.53.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150400.3.53.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.ppc64le"
        },
        "product_reference": "buildah-1.35.5-150400.3.53.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150400.3.53.1.s390x as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.s390x"
        },
        "product_reference": "buildah-1.35.5-150400.3.53.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150400.3.53.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150400.3.53.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150400.3.53.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.53.1.ppc64le"
        },
        "product_reference": "buildah-1.35.5-150400.3.53.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150400.3.53.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.53.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150400.3.53.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-52881",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52881"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.53.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.53.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.s390x",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.53.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.53.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52881",
          "url": "https://www.suse.com/security/cve/CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.53.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.53.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.53.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.53.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.53.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.53.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.s390x",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.53.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.53.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.53.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-12T10:35:09Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52881"
    }
  ]
}

SUSE-SU-2025:4075-1

Vulnerability from csaf_suse - Published: 2025-11-12 10:35 - Updated: 2025-11-12 10:35

Summary

Security update for buildah

Severity

Important

Notes

Title of the patch: Security update for buildah

Patchnames: SUSE-2025-4075,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-4075,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-4075,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-4075,SUSE-Storage-7.1-2025-4075

CVE-2025-52881

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 10 products

Product	Version	Remediation
Unresolved product id: SUSE Enterprise Storage 7.1:buildah-1.35.5-150300.8.46.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Enterprise Storage 7.1:buildah-1.35.5-150300.8.46.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:buildah-1.35.5-150300.8.46.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:buildah-1.35.5-150300.8.46.1.x86_64	—	Vendor Fix

Threats

Impact important

References

10 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1252543	self
https://bugzilla.suse.com/1253096	self
https://www.suse.com/security/cve/CVE-2025-52881/	self
https://www.suse.com/security/cve/CVE-2025-52881	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for buildah",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for buildah fixes the following issues:\n\n- CVE-2025-52881: Fixed container breakouts by bypassing runc\u0027s restrictions for writing to arbitrary /proc files (bsc#1253096)\n\nOther fixes:\n  \n- podman and buildah with runc 1.3.2 fail with lots of warnings as rootless (bsc#1252543)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-4075,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-4075,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-4075,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-4075,SUSE-Storage-7.1-2025-4075",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4075-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:4075-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254075-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:4075-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023263.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252543",
        "url": "https://bugzilla.suse.com/1252543"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1253096",
        "url": "https://bugzilla.suse.com/1253096"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52881 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52881/"
      }
    ],
    "title": "Security update for buildah",
    "tracking": {
      "current_release_date": "2025-11-12T10:35:24Z",
      "generator": {
        "date": "2025-11-12T10:35:24Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:4075-1",
      "initial_release_date": "2025-11-12T10:35:24Z",
      "revision_history": [
        {
          "date": "2025-11-12T10:35:24Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150300.8.46.1.aarch64",
                "product": {
                  "name": "buildah-1.35.5-150300.8.46.1.aarch64",
                  "product_id": "buildah-1.35.5-150300.8.46.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150300.8.46.1.i586",
                "product": {
                  "name": "buildah-1.35.5-150300.8.46.1.i586",
                  "product_id": "buildah-1.35.5-150300.8.46.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150300.8.46.1.ppc64le",
                "product": {
                  "name": "buildah-1.35.5-150300.8.46.1.ppc64le",
                  "product_id": "buildah-1.35.5-150300.8.46.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150300.8.46.1.s390x",
                "product": {
                  "name": "buildah-1.35.5-150300.8.46.1.s390x",
                  "product_id": "buildah-1.35.5-150300.8.46.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150300.8.46.1.x86_64",
                "product": {
                  "name": "buildah-1.35.5-150300.8.46.1.x86_64",
                  "product_id": "buildah-1.35.5-150300.8.46.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Enterprise Storage 7.1",
                "product": {
                  "name": "SUSE Enterprise Storage 7.1",
                  "product_id": "SUSE Enterprise Storage 7.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:ses:7.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150300.8.46.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.aarch64"
        },
        "product_reference": "buildah-1.35.5-150300.8.46.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150300.8.46.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150300.8.46.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150300.8.46.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.aarch64"
        },
        "product_reference": "buildah-1.35.5-150300.8.46.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150300.8.46.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.ppc64le"
        },
        "product_reference": "buildah-1.35.5-150300.8.46.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150300.8.46.1.s390x as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.s390x"
        },
        "product_reference": "buildah-1.35.5-150300.8.46.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150300.8.46.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150300.8.46.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150300.8.46.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:buildah-1.35.5-150300.8.46.1.ppc64le"
        },
        "product_reference": "buildah-1.35.5-150300.8.46.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150300.8.46.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:buildah-1.35.5-150300.8.46.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150300.8.46.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150300.8.46.1.aarch64 as component of SUSE Enterprise Storage 7.1",
          "product_id": "SUSE Enterprise Storage 7.1:buildah-1.35.5-150300.8.46.1.aarch64"
        },
        "product_reference": "buildah-1.35.5-150300.8.46.1.aarch64",
        "relates_to_product_reference": "SUSE Enterprise Storage 7.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150300.8.46.1.x86_64 as component of SUSE Enterprise Storage 7.1",
          "product_id": "SUSE Enterprise Storage 7.1:buildah-1.35.5-150300.8.46.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150300.8.46.1.x86_64",
        "relates_to_product_reference": "SUSE Enterprise Storage 7.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-52881",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52881"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Enterprise Storage 7.1:buildah-1.35.5-150300.8.46.1.aarch64",
          "SUSE Enterprise Storage 7.1:buildah-1.35.5-150300.8.46.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.s390x",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:buildah-1.35.5-150300.8.46.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:buildah-1.35.5-150300.8.46.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52881",
          "url": "https://www.suse.com/security/cve/CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Enterprise Storage 7.1:buildah-1.35.5-150300.8.46.1.aarch64",
            "SUSE Enterprise Storage 7.1:buildah-1.35.5-150300.8.46.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:buildah-1.35.5-150300.8.46.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:buildah-1.35.5-150300.8.46.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Enterprise Storage 7.1:buildah-1.35.5-150300.8.46.1.aarch64",
            "SUSE Enterprise Storage 7.1:buildah-1.35.5-150300.8.46.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:buildah-1.35.5-150300.8.46.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:buildah-1.35.5-150300.8.46.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:buildah-1.35.5-150300.8.46.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-12T10:35:24Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52881"
    }
  ]
}

SUSE-SU-2025:4076-1

Vulnerability from csaf_suse - Published: 2025-11-12 10:35 - Updated: 2025-11-12 10:35

Summary

Security update for buildah

Severity

Important

Notes

Title of the patch: Security update for buildah

Patchnames: SUSE-2025-4076,SUSE-SLE-Module-Containers-15-SP6-2025-4076,SUSE-SLE-Module-Containers-15-SP7-2025-4076,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-4076,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-4076,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-4076,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-4076,openSUSE-SLE-15.6-2025-4076

CVE-2025-52881

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 22 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:buildah-1.35.5-150500.3.45.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:buildah-1.35.5-150500.3.45.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:buildah-1.35.5-150500.3.45.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:buildah-1.35.5-150500.3.45.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.x86_64	—	Vendor Fix

Threats

Impact important

References

9 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1253096	self
https://www.suse.com/security/cve/CVE-2025-52881/	self
https://www.suse.com/security/cve/CVE-2025-52881	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for buildah",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for buildah fixes the following issues:\n\n- CVE-2025-52881: Fixed container breakouts by bypassing runc\u0027s restrictions for writing to arbitrary /proc files (bsc#1253096)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-4076,SUSE-SLE-Module-Containers-15-SP6-2025-4076,SUSE-SLE-Module-Containers-15-SP7-2025-4076,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-4076,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-4076,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-4076,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-4076,openSUSE-SLE-15.6-2025-4076",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4076-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:4076-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254076-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:4076-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023262.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1253096",
        "url": "https://bugzilla.suse.com/1253096"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52881 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52881/"
      }
    ],
    "title": "Security update for buildah",
    "tracking": {
      "current_release_date": "2025-11-12T10:35:40Z",
      "generator": {
        "date": "2025-11-12T10:35:40Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:4076-1",
      "initial_release_date": "2025-11-12T10:35:40Z",
      "revision_history": [
        {
          "date": "2025-11-12T10:35:40Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150500.3.45.1.aarch64",
                "product": {
                  "name": "buildah-1.35.5-150500.3.45.1.aarch64",
                  "product_id": "buildah-1.35.5-150500.3.45.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150500.3.45.1.i586",
                "product": {
                  "name": "buildah-1.35.5-150500.3.45.1.i586",
                  "product_id": "buildah-1.35.5-150500.3.45.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150500.3.45.1.ppc64le",
                "product": {
                  "name": "buildah-1.35.5-150500.3.45.1.ppc64le",
                  "product_id": "buildah-1.35.5-150500.3.45.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150500.3.45.1.s390x",
                "product": {
                  "name": "buildah-1.35.5-150500.3.45.1.s390x",
                  "product_id": "buildah-1.35.5-150500.3.45.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "buildah-1.35.5-150500.3.45.1.x86_64",
                "product": {
                  "name": "buildah-1.35.5-150500.3.45.1.x86_64",
                  "product_id": "buildah-1.35.5-150500.3.45.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Containers 15 SP6",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Containers 15 SP6",
                  "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-containers:15:sp6"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Containers 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Containers 15 SP7",
                  "product_id": "SUSE Linux Enterprise Module for Containers 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-containers:15:sp7"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.aarch64"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.ppc64le as component of SUSE Linux Enterprise Module for Containers 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.ppc64le"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.s390x as component of SUSE Linux Enterprise Module for Containers 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.s390x"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.aarch64"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.ppc64le as component of SUSE Linux Enterprise Module for Containers 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.ppc64le"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.s390x as component of SUSE Linux Enterprise Module for Containers 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.s390x"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:buildah-1.35.5-150500.3.45.1.aarch64"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:buildah-1.35.5-150500.3.45.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.aarch64"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.aarch64"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.ppc64le"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.s390x as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.s390x"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:buildah-1.35.5-150500.3.45.1.ppc64le"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:buildah-1.35.5-150500.3.45.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.aarch64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.aarch64"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.ppc64le as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.ppc64le"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.s390x as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.s390x"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "buildah-1.35.5-150500.3.45.1.x86_64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.x86_64"
        },
        "product_reference": "buildah-1.35.5-150500.3.45.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-52881",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52881"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:buildah-1.35.5-150500.3.45.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:buildah-1.35.5-150500.3.45.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.ppc64le",
          "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.s390x",
          "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.ppc64le",
          "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.s390x",
          "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.s390x",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:buildah-1.35.5-150500.3.45.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:buildah-1.35.5-150500.3.45.1.x86_64",
          "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.aarch64",
          "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.ppc64le",
          "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.s390x",
          "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52881",
          "url": "https://www.suse.com/security/cve/CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:buildah-1.35.5-150500.3.45.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:buildah-1.35.5-150500.3.45.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:buildah-1.35.5-150500.3.45.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:buildah-1.35.5-150500.3.45.1.x86_64",
            "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.aarch64",
            "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.ppc64le",
            "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.s390x",
            "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:buildah-1.35.5-150500.3.45.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:buildah-1.35.5-150500.3.45.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP6:buildah-1.35.5-150500.3.45.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.ppc64le",
            "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.s390x",
            "SUSE Linux Enterprise Module for Containers 15 SP7:buildah-1.35.5-150500.3.45.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.s390x",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:buildah-1.35.5-150500.3.45.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:buildah-1.35.5-150500.3.45.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:buildah-1.35.5-150500.3.45.1.x86_64",
            "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.aarch64",
            "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.ppc64le",
            "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.s390x",
            "openSUSE Leap 15.6:buildah-1.35.5-150500.3.45.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-12T10:35:40Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52881"
    }
  ]
}

SUSE-SU-2025:4077-1

Vulnerability from csaf_suse - Published: 2025-11-12 10:36 - Updated: 2025-11-12 10:36

Summary

Security update for runc

Severity

Important

Notes

Title of the patch: Security update for runc

Patchnames: SUSE-2025-4077,SUSE-SLE-SERVER-12-SP5-LTSS-2025-4077,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-4077

CVE-2025-31133

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 5 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.3.3-16.70.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52565

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 5 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.3.3-16.70.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-52881

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 5 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.3.3-16.70.1.x86_64	—	Vendor Fix

Threats

Impact important

References

18 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1252110	self
https://bugzilla.suse.com/1252232	self
https://www.suse.com/security/cve/CVE-2025-31133/	self
https://www.suse.com/security/cve/CVE-2025-52565/	self
https://www.suse.com/security/cve/CVE-2025-52881/	self
https://www.suse.com/security/cve/CVE-2025-31133	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52565	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external
https://www.suse.com/security/cve/CVE-2025-52881	external
https://bugzilla.suse.com/1252232	external
https://bugzilla.suse.com/1255063	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for runc",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for runc fixes the following issues:\n\nUpdate to runc v1.3.3. Upstream changelog is available from\n\n  \u003chttps://github.com/opencontainers/runc/releases/tag/v1.3.3\u003e. bsc#1252232\n\n  * CVE-2025-31133\n  * CVE-2025-52565\n  * CVE-2025-52881\n\nUpdate to runc v1.3.2. Upstream changelog is available from\n\n\u003chttps://github.com/opencontainers/runc/releases/tag/v1.3.2\u003e bsc#1252110\n\n  - Includes an important fix for the CPUSet translation for cgroupv2.\n\nUpdate to runc v1.3.1. Upstream changelog is available from\n\n\u003chttps://github.com/opencontainers/runc/releases/tag/v1.3.1\u003e\n\nUpdate to runc v1.3.0. Upstream changelog is available from\n\n\u003chttps://github.com/opencontainers/runc/releases/tag/v1.3.0\u003e",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-4077,SUSE-SLE-SERVER-12-SP5-LTSS-2025-4077,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-4077",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4077-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:4077-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254077-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:4077-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023261.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252110",
        "url": "https://bugzilla.suse.com/1252110"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252232",
        "url": "https://bugzilla.suse.com/1252232"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-31133 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-31133/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52565 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52565/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-52881 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-52881/"
      }
    ],
    "title": "Security update for runc",
    "tracking": {
      "current_release_date": "2025-11-12T10:36:08Z",
      "generator": {
        "date": "2025-11-12T10:36:08Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:4077-1",
      "initial_release_date": "2025-11-12T10:36:08Z",
      "revision_history": [
        {
          "date": "2025-11-12T10:36:08Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-16.70.1.aarch64",
                "product": {
                  "name": "runc-1.3.3-16.70.1.aarch64",
                  "product_id": "runc-1.3.3-16.70.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-16.70.1.i586",
                "product": {
                  "name": "runc-1.3.3-16.70.1.i586",
                  "product_id": "runc-1.3.3-16.70.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-16.70.1.ppc64le",
                "product": {
                  "name": "runc-1.3.3-16.70.1.ppc64le",
                  "product_id": "runc-1.3.3-16.70.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-16.70.1.s390x",
                "product": {
                  "name": "runc-1.3.3-16.70.1.s390x",
                  "product_id": "runc-1.3.3-16.70.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-1.3.3-16.70.1.x86_64",
                "product": {
                  "name": "runc-1.3.3-16.70.1.x86_64",
                  "product_id": "runc-1.3.3-16.70.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 12 SP5-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 12 SP5-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 12 SP5-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:12:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
                  "product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss-extended-security:12:sp5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-16.70.1.aarch64 as component of SUSE Linux Enterprise Server 12 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.aarch64"
        },
        "product_reference": "runc-1.3.3-16.70.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-16.70.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.ppc64le"
        },
        "product_reference": "runc-1.3.3-16.70.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-16.70.1.s390x as component of SUSE Linux Enterprise Server 12 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.s390x"
        },
        "product_reference": "runc-1.3.3-16.70.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-16.70.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.x86_64"
        },
        "product_reference": "runc-1.3.3-16.70.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-1.3.3-16.70.1.x86_64 as component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
          "product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.3.3-16.70.1.x86_64"
        },
        "product_reference": "runc-1.3.3-16.70.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-31133",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-31133"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack:  an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.aarch64",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.s390x",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.x86_64",
          "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.3.3-16.70.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-31133",
          "url": "https://www.suse.com/security/cve/CVE-2025-31133"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-31133",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.x86_64",
            "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.3.3-16.70.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.x86_64",
            "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.3.3-16.70.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-12T10:36:08Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-31133"
    },
    {
      "cve": "CVE-2025-52565",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52565"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.aarch64",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.s390x",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.x86_64",
          "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.3.3-16.70.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52565",
          "url": "https://www.suse.com/security/cve/CVE-2025-52565"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52565",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.x86_64",
            "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.3.3-16.70.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.x86_64",
            "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.3.3-16.70.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-12T10:36:08Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52565"
    },
    {
      "cve": "CVE-2025-52881",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-52881"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.aarch64",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.s390x",
          "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.x86_64",
          "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.3.3-16.70.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-52881",
          "url": "https://www.suse.com/security/cve/CVE-2025-52881"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252232 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1252232"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255063 for CVE-2025-52881",
          "url": "https://bugzilla.suse.com/1255063"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.x86_64",
            "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.3.3-16.70.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.aarch64",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.s390x",
            "SUSE Linux Enterprise Server 12 SP5-LTSS:runc-1.3.3-16.70.1.x86_64",
            "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:runc-1.3.3-16.70.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-12T10:36:08Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-52881"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-52881 (GCVE-0-2025-52881)

Tags

Sightings

Nomenclature