Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-52881 (GCVE-0-2025-52881)
Vulnerability from cvelistv5 – Published: 2025-11-06 20:23 – Updated: 2025-11-06 21:07
VLAI
EPSS
Title
runc: LSM labels can be bypassed with malicious config using dummy procfs files
Summary
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
20 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| opencontainers | runc |
Affected:
<= 1.2.7, < 1.2.8
Affected: <= 1.3.2, < 1.3.3 Affected: <= 1.4.0-rc.2, < 1.4.0-rc.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:06:59.235416Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:07:09.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "runc",
"vendor": "opencontainers",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.2.7, \u003c 1.2.8"
},
{
"status": "affected",
"version": "\u003c= 1.3.2, \u003c 1.3.3"
},
{
"status": "affected",
"version": "\u003c= 1.4.0-rc.2, \u003c 1.4.0-rc.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-363",
"description": "CWE-363: Race Condition Enabling Link Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:23:36.237Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
},
{
"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
},
{
"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"
},
{
"name": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"
},
{
"name": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51"
},
{
"name": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1"
},
{
"name": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
},
{
"name": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165"
},
{
"name": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2"
},
{
"name": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28"
},
{
"name": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db"
},
{
"name": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544"
},
{
"name": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f"
},
{
"name": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6"
},
{
"name": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58"
},
{
"name": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d"
},
{
"name": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557"
},
{
"name": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md"
},
{
"name": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322",
"tags": [
"x_refsource_MISC"
],
"url": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322"
},
{
"name": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3",
"tags": [
"x_refsource_MISC"
],
"url": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3"
}
],
"source": {
"advisory": "GHSA-cgrx-mc8f-2prm",
"discovery": "UNKNOWN"
},
"title": "runc: LSM labels can be bypassed with malicious config using dummy procfs files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52881",
"datePublished": "2025-11-06T20:23:36.237Z",
"dateReserved": "2025-06-20T17:42:25.708Z",
"dateUpdated": "2025-11-06T21:07:09.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-52881",
"date": "2026-06-05",
"epss": "0.00016",
"percentile": "0.0368"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-52881\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-06T21:15:42.817\",\"lastModified\":\"2025-12-03T18:37:17.917\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-61\"},{\"lang\":\"en\",\"value\":\"CWE-363\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.8\",\"matchCriteriaId\":\"889E52A1-D7B0-4DC8-BD63-9413A1DD9EEB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.3.0\",\"versionEndExcluding\":\"1.3.3\",\"matchCriteriaId\":\"F3193A96-E882-439B-984E-782315C62F69\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:runc:1.4.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"082E3496-822B-481B-AC2F-DA8DCAFC28FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:runc:1.4.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"71C62E90-6357-44A4-B582-28B1F1D9B16D\"}]}]}],\"references\":[{\"url\":\"http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-52881\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-06T21:06:59.235416Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-06T21:07:04.283Z\"}}], \"cna\": {\"title\": \"runc: LSM labels can be bypassed with malicious config using dummy procfs files\", \"source\": {\"advisory\": \"GHSA-cgrx-mc8f-2prm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"opencontainers\", \"product\": \"runc\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 1.2.7, \u003c 1.2.8\"}, {\"status\": \"affected\", \"version\": \"\u003c= 1.3.2, \u003c 1.3.3\"}, {\"status\": \"affected\", \"version\": \"\u003c= 1.4.0-rc.2, \u003c 1.4.0-rc.3\"}]}], \"references\": [{\"url\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\", \"name\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r\", \"name\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2\", \"name\": \"https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480\", \"name\": \"https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51\", \"name\": \"https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1\", \"name\": \"https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64\", \"name\": \"https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165\", \"name\": \"https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2\", \"name\": \"https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28\", \"name\": \"https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db\", \"name\": \"https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544\", \"name\": \"https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f\", \"name\": \"https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6\", \"name\": \"https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58\", \"name\": \"https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d\", \"name\": \"https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557\", \"name\": \"https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md\", \"name\": \"https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322\", \"name\": \"http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3\", \"name\": \"http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-61\", \"description\": \"CWE-61: UNIX Symbolic Link (Symlink) Following\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-363\", \"description\": \"CWE-363: Race Condition Enabling Link Following\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-06T20:23:36.237Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-52881\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-06T21:07:09.382Z\", \"dateReserved\": \"2025-06-20T17:42:25.708Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-06T20:23:36.237Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2025-52881
Vulnerability from fkie_nvd - Published: 2025-11-06 21:15 - Updated: 2025-12-03 18:37
Severity
Summary
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | runc | * | |
| linuxfoundation | runc | * | |
| linuxfoundation | runc | 1.4.0 | |
| linuxfoundation | runc | 1.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "889E52A1-D7B0-4DC8-BD63-9413A1DD9EEB",
"versionEndExcluding": "1.2.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F3193A96-E882-439B-984E-782315C62F69",
"versionEndExcluding": "1.3.3",
"versionStartIncluding": "1.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:runc:1.4.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "082E3496-822B-481B-AC2F-DA8DCAFC28FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:runc:1.4.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "71C62E90-6357-44A4-B582-28B1F1D9B16D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3."
}
],
"id": "CVE-2025-52881",
"lastModified": "2025-12-03T18:37:17.917",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-11-06T21:15:42.817",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-61"
},
{
"lang": "en",
"value": "CWE-363"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-CGRX-MC8F-2PRM
Vulnerability from github – Published: 2025-11-05 18:40 – Updated: 2025-11-18 18:38
VLAI
Summary
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
Details
Impact
This attack is primarily a more sophisticated version of CVE-2019-19921, which was a flaw which allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation runc applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when runc writes LSM labels that those labels are actual procfs files.
Rather than using a fake tmpfs file for /proc/self/attr/<label>, an attacker could instead (through various means) make /proc/self/attr/<label> reference a real procfs file, but one that would still be a no-op (such as /proc/self/sched). This would have the same effect but would clear the "is a procfs file" check. Runc is aware that this kind of attack would be possible (even going so far as to discuss this publicly as "future work" at conferences), and runc is working on a far more comprehensive mitigation of this attack, but this security issue was disclosed before runc could complete this work.
In all known versions of runc, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (runc has also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts.
Note that while /proc/self/attr/<label> was the example used above (which is LSM-specific), this issue affect all writes to /proc in runc and thus also affects sysctls (written to /proc/sys/...) and some other APIs.
Additional Impacts
While investigating this issue, runc discovered that another risk with these redirected writes is that they could be redirected to dangerous files such as /proc/sysrq-trigger rather than just no-op files like /proc/self/sched. For instance, the default AppArmor profile name in Docker is docker-default, which when written to /proc/sysrq-trigger would cause the host system to crash.
When this was discovered, runc conducted an audit of other write operations within runc and found several possible areas where runc could be used as a semi-arbitrary write gadget when combined with the above race attacks. The most concerning attack scenario was the configuration of sysctls. Because the contents of the sysctl are free-form text, an attacker could use a misdirected write to write to /proc/sys/kernel/core_pattern and break out of the container (as described in CVE-2025-31133, kernel upcalls are not namespaced and so coredump helpers will run with complete root privileges on the host). Even if the attacker cannot configure custom sysctls, a valid sysctl string (when redirected to /proc/sysrq-trigger) can easily cause the machine to hang.
Note that the fact that this attack allows you to disable LSM labels makes it a very useful attack to combine with CVE-2025-31133 (as one of the only mitigations available to most users for that issue is AppArmor, and this attack would let you bypass that). However, the misdirected write issue above means that you could also achieve most of the same goals without needing to chain together attacks.
Patches
This advisory is being published as part of a set of three advisories:
- CVE-2025-31133
- CVE-2025-52881
- CVE-2025-52565
The patches fixing this issue have accordingly been combined into a single patchset. The following patches from that patchset resolve the issues in this advisory:
- db19bbed5348 ("internal/sys: add VerifyInode helper")
- 6fc191449109 ("internal: move utils.MkdirAllInRoot to internal/pathrs")
- ff94f9991bd3 ("*: switch to safer securejoin.Reopen")
- 44a0fcf685db ("go.mod: update to github.com/cyphar/filepath-securejoin@v0.5.0")
- 77889b56db93 ("internal: add wrappers for securejoin.Proc*")
- fdcc9d3cad2f ("apparmor: use safe procfs API for labels")
- ff6fe1324663 ("utils: use safe procfs for /proc/self/fd loop code")
- b3dd1bc562ed ("utils: remove unneeded EnsureProcHandle")
- 77d217c7c377 ("init: write sysctls using safe procfs API")
- 435cc81be6b7 ("init: use securejoin for /proc/self/setgroups")
- d61fd29d854b ("libct/system: use securejoin for /proc/$pid/stat")
- 4b37cd93f86e ("libct: align param type for mountCgroupV1/V2 functions")
- d40b3439a961 ("rootfs: switch to fd-based handling of mountpoint targets")
- ed6b1693b8b3 ("selinux: use safe procfs API for labels")
-
Please note that this patch includes a private patch for
github.com/opencontainers/selinuxthat could not be made public through a public pull request (as it would necessarily disclose this embargoed security issue).The patch includes a complete copy of the forked code and a
replacedirective (as well asgo mod vendorapplied), which should still work with downstream build systems. If you cannot apply this patch, you can safely drop it -- some of the other patches in this series should block these kinds of racing mount attacks entirely.See https://github.com/opencontainers/selinux/pull/237 for the upstream patch. * 3f925525b44d ("rootfs: re-allow dangling symlinks in mount targets") * a41366e74080 ("openat2: improve resilience on busy systems")
runc 1.2.8, 1.3.3, and 1.4.0-rc.3 have been released and all contain fixes for these issues. As per runc's new release model, runc 1.1.x and earlier are no longer supported and thus have not been patched.
Mitigations
-
Do not run untrusted container images from unknown or unverified sources.
-
For the basic no-op attack, this attack allows a container process to run with the same LSM labels as
runc. For most AppArmor deployments this means it will beunconfined, and for SELinux it will likely becontainer_runtime_t. Runc has not conducted in-depth testing of the impact on SELinux -- it is possible that it provides some reasonable protection but it seems likely that an attacker could cause harm to systems even with such an SELinux setup. -
For the more involved redirect and write gadget attacks, unfortunately most LSM profiles (including the standard container-selinux profiles) provide the container runtime access to sysctl files (including
/proc/sysrq-trigger) and so LSMs likely do not provide much protection against these attacks. -
Using rootless containers provides some protection against these kinds of bugs (privileged writes in runc being redirected) -- by having runc itself be an unprivileged process, in general you would expect the impact scope of a runc bug to be less severe as it would only have the privileges afforded to the host user which spawned runc. For this particular bug, the privilege escalation caused by the inadvertent write issue is entirely mitigated with rootless containers because the unprivileged user that the
runcprocess is executing as cannot write to the aforementioned procfs files (even intentionally).
Other Runtimes
As this vulnerability boils down to a fairly easy-to-make logic bug, runc has provided information to other OCI (crun, youki) and non-OCI (LXC) container runtimes about this vulnerability.
Based on discussions with other runtimes, it seems that crun and youki may have similar security issues and will release a co-ordinated security release along with runc. LXC appears to use the host's /proc for all procfs operations, and so is likely not vulnerable to this issue (this is a trade-off -- runc uses the container's procfs to avoid CVE-2016-9962-style attacks).
Credits
Thanks to Li Fubang (@lifubang from acmcoder.com, CIIC) and Tõnis Tiigi (@tonistiigi from Docker) for both independently discovering this vulnerability, as well as Aleksa Sarai (@cyphar from SUSE) for the original research into this class of security issues and solutions.
Additional thanks go to Tõnis Tiigi for finding some very useful exploit templates for these kinds of race attacks using docker buildx build.
Severity
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.2.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/opencontainers/runc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.12.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/opencontainers/selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.13.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.3.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/opencontainers/runc"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0-rc.1"
},
{
"fixed": "1.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.0-rc.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/opencontainers/runc"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0-rc.1"
},
{
"fixed": "1.4.0-rc.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-52881"
],
"database_specific": {
"cwe_ids": [
"CWE-363",
"CWE-61"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-05T18:40:40Z",
"nvd_published_at": "2025-11-06T21:15:42Z",
"severity": "HIGH"
},
"details": "### Impact ###\n\nThis attack is primarily a more sophisticated version of CVE-2019-19921, which was a flaw which allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy `tmpfs` file and thus not apply the correct LSM labels to the container process. The mitigation runc applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when runc writes LSM labels that those labels are actual procfs files.\n\nRather than using a fake `tmpfs` file for `/proc/self/attr/\u003clabel\u003e`, an attacker could instead (through various means) make `/proc/self/attr/\u003clabel\u003e` reference a real `procfs` file, but one that would still be a no-op (such as `/proc/self/sched`). This would have the same effect but would clear the \"is a procfs file\" check. Runc is aware that this kind of attack would be possible (even going so far as to discuss this publicly as \"future work\" at conferences), and runc is working on a far more comprehensive mitigation of this attack, but this security issue was disclosed before runc could complete this work.\n\nIn all known versions of runc, an attacker can trick runc into misdirecting writes to `/proc` to other procfs files through the use of a racing container with shared mounts (runc has also verified this attack is possible to exploit using a standard Dockerfile with `docker buildx build` as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a `tmpfs` or theoretically other methods such as regular bind-mounts.\n\nNote that while `/proc/self/attr/\u003clabel\u003e` was the example used above (which is LSM-specific), this issue affect all writes to `/proc` in runc and thus also affects sysctls (written to `/proc/sys/...`) and some other APIs.\n\n#### Additional Impacts ####\n\nWhile investigating this issue, runc discovered that another risk with these redirected writes is that they could be redirected to dangerous files such as `/proc/sysrq-trigger` rather than just no-op files like `/proc/self/sched`. For instance, the default AppArmor profile name in Docker is `docker-default`, which when written to `/proc/sysrq-trigger` would cause the host system to crash.\n\nWhen this was discovered, runc conducted an audit of other write operations within runc and found several possible areas where runc could be used as a semi-arbitrary write gadget when combined with the above race attacks. The most concerning attack scenario was the configuration of sysctls. Because the contents of the sysctl are free-form text, an attacker could use a misdirected write to write to `/proc/sys/kernel/core_pattern` and break out of the container (as described in CVE-2025-31133, kernel upcalls are not namespaced and so coredump helpers will run with complete root privileges on the host). Even if the attacker cannot configure custom sysctls, a valid sysctl string (when redirected to `/proc/sysrq-trigger`) can easily cause the machine to hang.\n\nNote that the fact that this attack allows you to disable LSM labels makes it a very useful attack to combine with CVE-2025-31133 (as one of the only mitigations available to most users for that issue is AppArmor, and this attack would let you bypass that). However, the misdirected write issue above means that you could also achieve most of the same goals without needing to chain together attacks.\n\n### Patches ###\n\nThis advisory is being published as part of a set of three advisories:\n\n * CVE-2025-31133\n * CVE-2025-52881\n * CVE-2025-52565\n\nThe patches fixing this issue have accordingly been combined into a single patchset. The following patches from that patchset resolve the issues in this advisory:\n\n * db19bbed5348 (\"internal/sys: add VerifyInode helper\")\n * 6fc191449109 (\"internal: move utils.MkdirAllInRoot to internal/pathrs\")\n * ff94f9991bd3 (\"*: switch to safer securejoin.Reopen\")\n * 44a0fcf685db (\"go.mod: update to github.com/cyphar/filepath-securejoin@v0.5.0\")\n * 77889b56db93 (\"internal: add wrappers for securejoin.Proc*\")\n * fdcc9d3cad2f (\"apparmor: use safe procfs API for labels\")\n * ff6fe1324663 (\"utils: use safe procfs for /proc/self/fd loop code\")\n * b3dd1bc562ed (\"utils: remove unneeded EnsureProcHandle\")\n * 77d217c7c377 (\"init: write sysctls using safe procfs API\")\n * 435cc81be6b7 (\"init: use securejoin for /proc/self/setgroups\")\n * d61fd29d854b (\"libct/system: use securejoin for /proc/$pid/stat\")\n * 4b37cd93f86e (\"libct: align param type for mountCgroupV1/V2 functions\")\n * d40b3439a961 (\"rootfs: switch to fd-based handling of mountpoint targets\")\n * ed6b1693b8b3 (\"selinux: use safe procfs API for labels\")\n - Please note that this patch includes a private patch for `github.com/opencontainers/selinux` that could not be made public through a public pull request (as it would necessarily disclose this embargoed security issue).\n\n The patch includes a complete copy of the forked code and a `replace` directive (as well as `go mod vendor` applied), which should still work with downstream build systems. If you cannot apply this patch, you can safely drop it -- some of the other patches in this series should block these kinds of racing mount attacks entirely.\n\n See https://github.com/opencontainers/selinux/pull/237 for the upstream patch.\n * 3f925525b44d (\"rootfs: re-allow dangling symlinks in mount targets\")\n * a41366e74080 (\"openat2: improve resilience on busy systems\")\n\nrunc 1.2.8, 1.3.3, and 1.4.0-rc.3 have been released and all contain fixes for these issues. As per [runc\u0027s new release model][RELEASES.md], runc 1.1.x and earlier are no longer supported and thus have not been patched.\n\n[CVE-2025-31133]: https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2\n[CVE-2025-52565]: https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r\n[CVE-2025-52881]: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\n[RELEASES.md]: https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md\n\n### Mitigations ###\n\n * Do not run untrusted container images from unknown or unverified sources.\n\n * For the basic no-op attack, this attack allows a container process to run with the same LSM labels as `runc`. For most AppArmor deployments this means it will be `unconfined`, and for SELinux it will likely be `container_runtime_t`. Runc has not conducted in-depth testing of the impact on SELinux -- it is possible that it provides some reasonable protection but it seems likely that an attacker could cause harm to systems even with such an SELinux setup.\n\n * For the more involved redirect and write gadget attacks, unfortunately most LSM profiles (including the standard container-selinux profiles) provide the container runtime access to sysctl files (including `/proc/sysrq-trigger`) and so LSMs likely do not provide much protection against these attacks.\n\n * Using rootless containers provides some protection against these kinds of bugs (privileged writes in runc being redirected) -- by having runc itself be an unprivileged process, in general you would expect the impact scope of a runc bug to be less severe as it would only have the privileges afforded to the host user which spawned runc. For this particular bug, the privilege escalation caused by the inadvertent write issue is entirely mitigated with rootless containers because the unprivileged user that the `runc` process is executing as cannot write to the aforementioned procfs files (even intentionally).\n\n### Other Runtimes ###\n\nAs this vulnerability boils down to a fairly easy-to-make logic bug, runc has provided information to other OCI (crun, youki) and non-OCI (LXC) container runtimes about this vulnerability.\n\nBased on discussions with other runtimes, it seems that crun and youki may have similar security issues and will release a co-ordinated security release along with runc. LXC appears to use the host\u0027s `/proc` for all procfs operations, and so is likely not vulnerable to this issue (this is a trade-off -- runc uses the container\u0027s procfs to avoid CVE-2016-9962-style attacks).\n\n[CVE-2016-9962]: https://seclists.org/fulldisclosure/2017/Jan/21\n\n### Credits ###\n\nThanks to Li Fubang (@lifubang from acmcoder.com, CIIC) and T\u00f5nis Tiigi (@tonistiigi from Docker) for both independently discovering this vulnerability, as well as Aleksa Sarai (@cyphar from SUSE) for the original research into this class of security issues and solutions.\n\nAdditional thanks go to T\u00f5nis Tiigi for finding some very useful exploit templates for these kinds of race attacks using `docker buildx build`.",
"id": "GHSA-cgrx-mc8f-2prm",
"modified": "2025-11-18T18:38:01Z",
"published": "2025-11-05T18:40:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52881"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/selinux/pull/237"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557"
},
{
"type": "WEB",
"url": "https://youtu.be/tGseJW_uBB8"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
},
{
"type": "WEB",
"url": "https://youtu.be/y1PaBzxwRWQ"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/selinux/releases/tag/v1.13.0"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md"
},
{
"type": "PACKAGE",
"url": "https://github.com/opencontainers/runc"
},
{
"type": "WEB",
"url": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322"
},
{
"type": "WEB",
"url": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects"
}
MSRC_CVE-2025-52881
Vulnerability from csaf_microsoft - Published: 2025-11-02 00:00 - Updated: 2026-01-13 01:41Summary
runc: LSM labels can be bypassed with malicious config using dummy procfs files
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
CWE-61
- UNIX Symbolic Link (Symlink) Following
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 20659-17086 | — | ||
| Unresolved product id: 20713-17084 | — | ||
| Unresolved product id: 20794-17084 | — | ||
| Unresolved product id: 20660-17084 | — |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17086-5 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-7 | — |
None Available
|
|
| Unresolved product id: 17084-6 | — |
None Available
|
|
| Unresolved product id: 17084-3 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-1 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-4 | — |
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17086-2 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2025/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2025/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2025-52881 runc: LSM labels can be bypassed with malicious config using dummy procfs files - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-52881.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "runc: LSM labels can be bypassed with malicious config using dummy procfs files",
"tracking": {
"current_release_date": "2026-01-13T01:41:05.000Z",
"generator": {
"date": "2026-02-18T14:58:53.122Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2025-52881",
"initial_release_date": "2025-11-02T00:00:00.000Z",
"revision_history": [
{
"date": "2025-11-09T01:02:40.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2025-11-21T01:03:59.000Z",
"legacy_version": "2",
"number": "2",
"summary": "Information published."
},
{
"date": "2025-12-07T01:37:15.000Z",
"legacy_version": "3",
"number": "3",
"summary": "Information published."
},
{
"date": "2026-01-03T01:39:17.000Z",
"legacy_version": "4",
"number": "4",
"summary": "Information published."
},
{
"date": "2026-01-08T14:39:48.000Z",
"legacy_version": "5",
"number": "5",
"summary": "Information published."
},
{
"date": "2026-01-13T01:41:05.000Z",
"legacy_version": "6",
"number": "6",
"summary": "Information published."
}
],
"status": "final",
"version": "6"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
},
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 moby-runc 1.1.9-9",
"product": {
"name": "\u003ccbl2 moby-runc 1.1.9-9",
"product_id": "5"
}
},
{
"category": "product_version",
"name": "cbl2 moby-runc 1.1.9-9",
"product": {
"name": "cbl2 moby-runc 1.1.9-9",
"product_id": "20659"
}
}
],
"category": "product_name",
"name": "moby-runc"
},
{
"branches": [
{
"category": "product_version_range",
"name": "cbl2 kubernetes 1.28.4-19",
"product": {
"name": "cbl2 kubernetes 1.28.4-19",
"product_id": "7"
}
},
{
"category": "product_version_range",
"name": "azl3 kubernetes 1.30.10-14",
"product": {
"name": "azl3 kubernetes 1.30.10-14",
"product_id": "6"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 kubernetes 1.30.10-16",
"product": {
"name": "\u003cazl3 kubernetes 1.30.10-16",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "azl3 kubernetes 1.30.10-16",
"product": {
"name": "azl3 kubernetes 1.30.10-16",
"product_id": "20713"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 kubernetes 1.30.10-18",
"product": {
"name": "\u003cazl3 kubernetes 1.30.10-18",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "azl3 kubernetes 1.30.10-18",
"product": {
"name": "azl3 kubernetes 1.30.10-18",
"product_id": "20794"
}
}
],
"category": "product_name",
"name": "kubernetes"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 runc 1.3.3-1",
"product": {
"name": "\u003cazl3 runc 1.3.3-1",
"product_id": "4"
}
},
{
"category": "product_version",
"name": "azl3 runc 1.3.3-1",
"product": {
"name": "azl3 runc 1.3.3-1",
"product_id": "20660"
}
}
],
"category": "product_name",
"name": "runc"
},
{
"category": "product_name",
"name": "cbl2 kubernetes 1.28.4-21",
"product": {
"name": "cbl2 kubernetes 1.28.4-21",
"product_id": "2"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 moby-runc 1.1.9-9 as a component of CBL Mariner 2.0",
"product_id": "17086-5"
},
"product_reference": "5",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 moby-runc 1.1.9-9 as a component of CBL Mariner 2.0",
"product_id": "20659-17086"
},
"product_reference": "20659",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 kubernetes 1.28.4-19 as a component of CBL Mariner 2.0",
"product_id": "17086-7"
},
"product_reference": "7",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 kubernetes 1.30.10-14 as a component of Azure Linux 3.0",
"product_id": "17084-6"
},
"product_reference": "6",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 kubernetes 1.30.10-16 as a component of Azure Linux 3.0",
"product_id": "17084-3"
},
"product_reference": "3",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 kubernetes 1.30.10-16 as a component of Azure Linux 3.0",
"product_id": "20713-17084"
},
"product_reference": "20713",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 kubernetes 1.28.4-21 as a component of CBL Mariner 2.0",
"product_id": "17086-2"
},
"product_reference": "2",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 kubernetes 1.30.10-18 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 kubernetes 1.30.10-18 as a component of Azure Linux 3.0",
"product_id": "20794-17084"
},
"product_reference": "20794",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 runc 1.3.3-1 as a component of Azure Linux 3.0",
"product_id": "17084-4"
},
"product_reference": "4",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 runc 1.3.3-1 as a component of Azure Linux 3.0",
"product_id": "20660-17084"
},
"product_reference": "20660",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-52881",
"cwe": {
"id": "CWE-61",
"name": "UNIX Symbolic Link (Symlink) Following"
},
"flags": [
{
"label": "component_not_present",
"product_ids": [
"17086-2"
]
}
],
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"20659-17086",
"20713-17084",
"20794-17084",
"20660-17084"
],
"known_affected": [
"17086-5",
"17086-7",
"17084-6",
"17084-3",
"17084-1",
"17084-4"
],
"known_not_affected": [
"17086-2"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-52881 runc: LSM labels can be bypassed with malicious config using dummy procfs files - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-52881.json"
}
],
"remediations": [
{
"category": "none_available",
"date": "2025-11-09T01:02:40.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17086-7"
]
},
{
"category": "none_available",
"date": "2025-11-09T01:02:40.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17084-6"
]
},
{
"category": "vendor_fix",
"date": "2025-11-09T01:02:40.000Z",
"details": "1.2.8-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-5"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2025-11-09T01:02:40.000Z",
"details": "1.30.10-18:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-3",
"17084-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"title": "runc: LSM labels can be bypassed with malicious config using dummy procfs files"
}
]
}
OPENSUSE-SU-2025:15705-1
Vulnerability from csaf_opensuse - Published: 2025-11-05 00:00 - Updated: 2025-11-05 00:00Summary
runc-1.3.3-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: runc-1.3.3-1.1 on GA media
Description of the patch: These are all security issues fixed in the runc-1.3.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15705
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:runc-1.3.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:runc-1.3.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:runc-1.3.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:runc-1.3.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:runc-1.3.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:runc-1.3.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:runc-1.3.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:runc-1.3.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:runc-1.3.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:runc-1.3.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:runc-1.3.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:runc-1.3.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
14 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "runc-1.3.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the runc-1.3.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15705",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15705-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-31133 page",
"url": "https://www.suse.com/security/cve/CVE-2025-31133/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-52565 page",
"url": "https://www.suse.com/security/cve/CVE-2025-52565/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-52881 page",
"url": "https://www.suse.com/security/cve/CVE-2025-52881/"
}
],
"title": "runc-1.3.3-1.1 on GA media",
"tracking": {
"current_release_date": "2025-11-05T00:00:00Z",
"generator": {
"date": "2025-11-05T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15705-1",
"initial_release_date": "2025-11-05T00:00:00Z",
"revision_history": [
{
"date": "2025-11-05T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "runc-1.3.3-1.1.aarch64",
"product": {
"name": "runc-1.3.3-1.1.aarch64",
"product_id": "runc-1.3.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "runc-1.3.3-1.1.ppc64le",
"product": {
"name": "runc-1.3.3-1.1.ppc64le",
"product_id": "runc-1.3.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "runc-1.3.3-1.1.s390x",
"product": {
"name": "runc-1.3.3-1.1.s390x",
"product_id": "runc-1.3.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "runc-1.3.3-1.1.x86_64",
"product": {
"name": "runc-1.3.3-1.1.x86_64",
"product_id": "runc-1.3.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.3.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:runc-1.3.3-1.1.aarch64"
},
"product_reference": "runc-1.3.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.3.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:runc-1.3.3-1.1.ppc64le"
},
"product_reference": "runc-1.3.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.3.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:runc-1.3.3-1.1.s390x"
},
"product_reference": "runc-1.3.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.3.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:runc-1.3.3-1.1.x86_64"
},
"product_reference": "runc-1.3.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-31133",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-31133"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:runc-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:runc-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:runc-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:runc-1.3.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-31133",
"url": "https://www.suse.com/security/cve/CVE-2025-31133"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-31133",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-31133",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:runc-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:runc-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:runc-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:runc-1.3.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:runc-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:runc-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:runc-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:runc-1.3.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-05T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-31133"
},
{
"cve": "CVE-2025-52565",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-52565"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:runc-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:runc-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:runc-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:runc-1.3.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-52565",
"url": "https://www.suse.com/security/cve/CVE-2025-52565"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-52565",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-52565",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:runc-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:runc-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:runc-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:runc-1.3.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:runc-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:runc-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:runc-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:runc-1.3.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-05T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-52565"
},
{
"cve": "CVE-2025-52881",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-52881"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:runc-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:runc-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:runc-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:runc-1.3.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-52881",
"url": "https://www.suse.com/security/cve/CVE-2025-52881"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:runc-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:runc-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:runc-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:runc-1.3.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:runc-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:runc-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:runc-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:runc-1.3.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-05T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-52881"
}
]
}
OPENSUSE-SU-2025:15721-1
Vulnerability from csaf_opensuse - Published: 2025-11-09 00:00 - Updated: 2025-11-09 00:00Summary
incus-6.17-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: incus-6.17-2.1 on GA media
Description of the patch: These are all security issues fixed in the incus-6.17-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15721
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:incus-6.17-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-6.17-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-6.17-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-6.17-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-tools-6.17-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-tools-6.17-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-tools-6.17-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-tools-6.17-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
6 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "incus-6.17-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the incus-6.17-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15721",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15721-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-52881 page",
"url": "https://www.suse.com/security/cve/CVE-2025-52881/"
}
],
"title": "incus-6.17-2.1 on GA media",
"tracking": {
"current_release_date": "2025-11-09T00:00:00Z",
"generator": {
"date": "2025-11-09T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15721-1",
"initial_release_date": "2025-11-09T00:00:00Z",
"revision_history": [
{
"date": "2025-11-09T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "incus-6.17-2.1.aarch64",
"product": {
"name": "incus-6.17-2.1.aarch64",
"product_id": "incus-6.17-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "incus-bash-completion-6.17-2.1.aarch64",
"product": {
"name": "incus-bash-completion-6.17-2.1.aarch64",
"product_id": "incus-bash-completion-6.17-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "incus-fish-completion-6.17-2.1.aarch64",
"product": {
"name": "incus-fish-completion-6.17-2.1.aarch64",
"product_id": "incus-fish-completion-6.17-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "incus-tools-6.17-2.1.aarch64",
"product": {
"name": "incus-tools-6.17-2.1.aarch64",
"product_id": "incus-tools-6.17-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "incus-zsh-completion-6.17-2.1.aarch64",
"product": {
"name": "incus-zsh-completion-6.17-2.1.aarch64",
"product_id": "incus-zsh-completion-6.17-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "incus-6.17-2.1.ppc64le",
"product": {
"name": "incus-6.17-2.1.ppc64le",
"product_id": "incus-6.17-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "incus-bash-completion-6.17-2.1.ppc64le",
"product": {
"name": "incus-bash-completion-6.17-2.1.ppc64le",
"product_id": "incus-bash-completion-6.17-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "incus-fish-completion-6.17-2.1.ppc64le",
"product": {
"name": "incus-fish-completion-6.17-2.1.ppc64le",
"product_id": "incus-fish-completion-6.17-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "incus-tools-6.17-2.1.ppc64le",
"product": {
"name": "incus-tools-6.17-2.1.ppc64le",
"product_id": "incus-tools-6.17-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "incus-zsh-completion-6.17-2.1.ppc64le",
"product": {
"name": "incus-zsh-completion-6.17-2.1.ppc64le",
"product_id": "incus-zsh-completion-6.17-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "incus-6.17-2.1.s390x",
"product": {
"name": "incus-6.17-2.1.s390x",
"product_id": "incus-6.17-2.1.s390x"
}
},
{
"category": "product_version",
"name": "incus-bash-completion-6.17-2.1.s390x",
"product": {
"name": "incus-bash-completion-6.17-2.1.s390x",
"product_id": "incus-bash-completion-6.17-2.1.s390x"
}
},
{
"category": "product_version",
"name": "incus-fish-completion-6.17-2.1.s390x",
"product": {
"name": "incus-fish-completion-6.17-2.1.s390x",
"product_id": "incus-fish-completion-6.17-2.1.s390x"
}
},
{
"category": "product_version",
"name": "incus-tools-6.17-2.1.s390x",
"product": {
"name": "incus-tools-6.17-2.1.s390x",
"product_id": "incus-tools-6.17-2.1.s390x"
}
},
{
"category": "product_version",
"name": "incus-zsh-completion-6.17-2.1.s390x",
"product": {
"name": "incus-zsh-completion-6.17-2.1.s390x",
"product_id": "incus-zsh-completion-6.17-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "incus-6.17-2.1.x86_64",
"product": {
"name": "incus-6.17-2.1.x86_64",
"product_id": "incus-6.17-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "incus-bash-completion-6.17-2.1.x86_64",
"product": {
"name": "incus-bash-completion-6.17-2.1.x86_64",
"product_id": "incus-bash-completion-6.17-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "incus-fish-completion-6.17-2.1.x86_64",
"product": {
"name": "incus-fish-completion-6.17-2.1.x86_64",
"product_id": "incus-fish-completion-6.17-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "incus-tools-6.17-2.1.x86_64",
"product": {
"name": "incus-tools-6.17-2.1.x86_64",
"product_id": "incus-tools-6.17-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "incus-zsh-completion-6.17-2.1.x86_64",
"product": {
"name": "incus-zsh-completion-6.17-2.1.x86_64",
"product_id": "incus-zsh-completion-6.17-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-6.17-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-6.17-2.1.aarch64"
},
"product_reference": "incus-6.17-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-6.17-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-6.17-2.1.ppc64le"
},
"product_reference": "incus-6.17-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-6.17-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-6.17-2.1.s390x"
},
"product_reference": "incus-6.17-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-6.17-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-6.17-2.1.x86_64"
},
"product_reference": "incus-6.17-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-bash-completion-6.17-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.aarch64"
},
"product_reference": "incus-bash-completion-6.17-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-bash-completion-6.17-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.ppc64le"
},
"product_reference": "incus-bash-completion-6.17-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-bash-completion-6.17-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.s390x"
},
"product_reference": "incus-bash-completion-6.17-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-bash-completion-6.17-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.x86_64"
},
"product_reference": "incus-bash-completion-6.17-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-fish-completion-6.17-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.aarch64"
},
"product_reference": "incus-fish-completion-6.17-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-fish-completion-6.17-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.ppc64le"
},
"product_reference": "incus-fish-completion-6.17-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-fish-completion-6.17-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.s390x"
},
"product_reference": "incus-fish-completion-6.17-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-fish-completion-6.17-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.x86_64"
},
"product_reference": "incus-fish-completion-6.17-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-tools-6.17-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-tools-6.17-2.1.aarch64"
},
"product_reference": "incus-tools-6.17-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-tools-6.17-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-tools-6.17-2.1.ppc64le"
},
"product_reference": "incus-tools-6.17-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-tools-6.17-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-tools-6.17-2.1.s390x"
},
"product_reference": "incus-tools-6.17-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-tools-6.17-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-tools-6.17-2.1.x86_64"
},
"product_reference": "incus-tools-6.17-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-zsh-completion-6.17-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.aarch64"
},
"product_reference": "incus-zsh-completion-6.17-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-zsh-completion-6.17-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.ppc64le"
},
"product_reference": "incus-zsh-completion-6.17-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-zsh-completion-6.17-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.s390x"
},
"product_reference": "incus-zsh-completion-6.17-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "incus-zsh-completion-6.17-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.x86_64"
},
"product_reference": "incus-zsh-completion-6.17-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-52881",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-52881"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:incus-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-6.17-2.1.x86_64",
"openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.x86_64",
"openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.x86_64",
"openSUSE Tumbleweed:incus-tools-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-tools-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-tools-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-tools-6.17-2.1.x86_64",
"openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-52881",
"url": "https://www.suse.com/security/cve/CVE-2025-52881"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:incus-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-6.17-2.1.x86_64",
"openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.x86_64",
"openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.x86_64",
"openSUSE Tumbleweed:incus-tools-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-tools-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-tools-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-tools-6.17-2.1.x86_64",
"openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:incus-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-6.17-2.1.x86_64",
"openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-bash-completion-6.17-2.1.x86_64",
"openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-fish-completion-6.17-2.1.x86_64",
"openSUSE Tumbleweed:incus-tools-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-tools-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-tools-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-tools-6.17-2.1.x86_64",
"openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.aarch64",
"openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.ppc64le",
"openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.s390x",
"openSUSE Tumbleweed:incus-zsh-completion-6.17-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-09T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-52881"
}
]
}
OPENSUSE-SU-2025:15843-1
Vulnerability from csaf_opensuse - Published: 2025-12-24 00:00 - Updated: 2025-12-24 00:00Summary
buildah-1.42.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: buildah-1.42.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the buildah-1.42.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15843
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:buildah-1.42.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:buildah-1.42.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:buildah-1.42.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:buildah-1.42.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
6 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "buildah-1.42.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the buildah-1.42.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15843",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15843-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-52881 page",
"url": "https://www.suse.com/security/cve/CVE-2025-52881/"
}
],
"title": "buildah-1.42.2-1.1 on GA media",
"tracking": {
"current_release_date": "2025-12-24T00:00:00Z",
"generator": {
"date": "2025-12-24T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15843-1",
"initial_release_date": "2025-12-24T00:00:00Z",
"revision_history": [
{
"date": "2025-12-24T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "buildah-1.42.2-1.1.aarch64",
"product": {
"name": "buildah-1.42.2-1.1.aarch64",
"product_id": "buildah-1.42.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-1.42.2-1.1.ppc64le",
"product": {
"name": "buildah-1.42.2-1.1.ppc64le",
"product_id": "buildah-1.42.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-1.42.2-1.1.s390x",
"product": {
"name": "buildah-1.42.2-1.1.s390x",
"product_id": "buildah-1.42.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-1.42.2-1.1.x86_64",
"product": {
"name": "buildah-1.42.2-1.1.x86_64",
"product_id": "buildah-1.42.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.42.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:buildah-1.42.2-1.1.aarch64"
},
"product_reference": "buildah-1.42.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.42.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:buildah-1.42.2-1.1.ppc64le"
},
"product_reference": "buildah-1.42.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.42.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:buildah-1.42.2-1.1.s390x"
},
"product_reference": "buildah-1.42.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.42.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:buildah-1.42.2-1.1.x86_64"
},
"product_reference": "buildah-1.42.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-52881",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-52881"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:buildah-1.42.2-1.1.aarch64",
"openSUSE Tumbleweed:buildah-1.42.2-1.1.ppc64le",
"openSUSE Tumbleweed:buildah-1.42.2-1.1.s390x",
"openSUSE Tumbleweed:buildah-1.42.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-52881",
"url": "https://www.suse.com/security/cve/CVE-2025-52881"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:buildah-1.42.2-1.1.aarch64",
"openSUSE Tumbleweed:buildah-1.42.2-1.1.ppc64le",
"openSUSE Tumbleweed:buildah-1.42.2-1.1.s390x",
"openSUSE Tumbleweed:buildah-1.42.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:buildah-1.42.2-1.1.aarch64",
"openSUSE Tumbleweed:buildah-1.42.2-1.1.ppc64le",
"openSUSE Tumbleweed:buildah-1.42.2-1.1.s390x",
"openSUSE Tumbleweed:buildah-1.42.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-52881"
}
]
}
OPENSUSE-SU-2025:15845-1
Vulnerability from csaf_opensuse - Published: 2025-12-24 00:00 - Updated: 2025-12-24 00:00Summary
podman-5.7.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: podman-5.7.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the podman-5.7.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15845
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:podman-5.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-5.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-5.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-5.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-docker-5.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-docker-5.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-docker-5.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-docker-5.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-remote-5.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-remote-5.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-remote-5.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-remote-5.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podmansh-5.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podmansh-5.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podmansh-5.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podmansh-5.7.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:podman-5.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-5.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-5.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-5.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-docker-5.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-docker-5.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-docker-5.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-docker-5.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-remote-5.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-remote-5.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-remote-5.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podman-remote-5.7.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podmansh-5.7.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podmansh-5.7.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podmansh-5.7.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:podmansh-5.7.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "podman-5.7.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the podman-5.7.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15845",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15845-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-52881 page",
"url": "https://www.suse.com/security/cve/CVE-2025-52881/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-9566 page",
"url": "https://www.suse.com/security/cve/CVE-2025-9566/"
}
],
"title": "podman-5.7.1-1.1 on GA media",
"tracking": {
"current_release_date": "2025-12-24T00:00:00Z",
"generator": {
"date": "2025-12-24T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15845-1",
"initial_release_date": "2025-12-24T00:00:00Z",
"revision_history": [
{
"date": "2025-12-24T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "podman-5.7.1-1.1.aarch64",
"product": {
"name": "podman-5.7.1-1.1.aarch64",
"product_id": "podman-5.7.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "podman-docker-5.7.1-1.1.aarch64",
"product": {
"name": "podman-docker-5.7.1-1.1.aarch64",
"product_id": "podman-docker-5.7.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "podman-remote-5.7.1-1.1.aarch64",
"product": {
"name": "podman-remote-5.7.1-1.1.aarch64",
"product_id": "podman-remote-5.7.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "podmansh-5.7.1-1.1.aarch64",
"product": {
"name": "podmansh-5.7.1-1.1.aarch64",
"product_id": "podmansh-5.7.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-5.7.1-1.1.ppc64le",
"product": {
"name": "podman-5.7.1-1.1.ppc64le",
"product_id": "podman-5.7.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "podman-docker-5.7.1-1.1.ppc64le",
"product": {
"name": "podman-docker-5.7.1-1.1.ppc64le",
"product_id": "podman-docker-5.7.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "podman-remote-5.7.1-1.1.ppc64le",
"product": {
"name": "podman-remote-5.7.1-1.1.ppc64le",
"product_id": "podman-remote-5.7.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "podmansh-5.7.1-1.1.ppc64le",
"product": {
"name": "podmansh-5.7.1-1.1.ppc64le",
"product_id": "podmansh-5.7.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-5.7.1-1.1.s390x",
"product": {
"name": "podman-5.7.1-1.1.s390x",
"product_id": "podman-5.7.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "podman-docker-5.7.1-1.1.s390x",
"product": {
"name": "podman-docker-5.7.1-1.1.s390x",
"product_id": "podman-docker-5.7.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "podman-remote-5.7.1-1.1.s390x",
"product": {
"name": "podman-remote-5.7.1-1.1.s390x",
"product_id": "podman-remote-5.7.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "podmansh-5.7.1-1.1.s390x",
"product": {
"name": "podmansh-5.7.1-1.1.s390x",
"product_id": "podmansh-5.7.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-5.7.1-1.1.x86_64",
"product": {
"name": "podman-5.7.1-1.1.x86_64",
"product_id": "podman-5.7.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "podman-docker-5.7.1-1.1.x86_64",
"product": {
"name": "podman-docker-5.7.1-1.1.x86_64",
"product_id": "podman-docker-5.7.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "podman-remote-5.7.1-1.1.x86_64",
"product": {
"name": "podman-remote-5.7.1-1.1.x86_64",
"product_id": "podman-remote-5.7.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "podmansh-5.7.1-1.1.x86_64",
"product": {
"name": "podmansh-5.7.1-1.1.x86_64",
"product_id": "podmansh-5.7.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-5.7.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podman-5.7.1-1.1.aarch64"
},
"product_reference": "podman-5.7.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-5.7.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podman-5.7.1-1.1.ppc64le"
},
"product_reference": "podman-5.7.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-5.7.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podman-5.7.1-1.1.s390x"
},
"product_reference": "podman-5.7.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-5.7.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podman-5.7.1-1.1.x86_64"
},
"product_reference": "podman-5.7.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-docker-5.7.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podman-docker-5.7.1-1.1.aarch64"
},
"product_reference": "podman-docker-5.7.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-docker-5.7.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podman-docker-5.7.1-1.1.ppc64le"
},
"product_reference": "podman-docker-5.7.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-docker-5.7.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podman-docker-5.7.1-1.1.s390x"
},
"product_reference": "podman-docker-5.7.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-docker-5.7.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podman-docker-5.7.1-1.1.x86_64"
},
"product_reference": "podman-docker-5.7.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-5.7.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podman-remote-5.7.1-1.1.aarch64"
},
"product_reference": "podman-remote-5.7.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-5.7.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podman-remote-5.7.1-1.1.ppc64le"
},
"product_reference": "podman-remote-5.7.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-5.7.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podman-remote-5.7.1-1.1.s390x"
},
"product_reference": "podman-remote-5.7.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-5.7.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podman-remote-5.7.1-1.1.x86_64"
},
"product_reference": "podman-remote-5.7.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podmansh-5.7.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podmansh-5.7.1-1.1.aarch64"
},
"product_reference": "podmansh-5.7.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podmansh-5.7.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podmansh-5.7.1-1.1.ppc64le"
},
"product_reference": "podmansh-5.7.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podmansh-5.7.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podmansh-5.7.1-1.1.s390x"
},
"product_reference": "podmansh-5.7.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podmansh-5.7.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:podmansh-5.7.1-1.1.x86_64"
},
"product_reference": "podmansh-5.7.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-52881",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-52881"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:podman-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-52881",
"url": "https://www.suse.com/security/cve/CVE-2025-52881"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:podman-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:podman-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-52881"
},
{
"cve": "CVE-2025-9566",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-9566"
}
],
"notes": [
{
"category": "general",
"text": "There\u0027s a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file.\n\nBinary-Affected: podman\nUpstream-version-introduced: v4.0.0\nUpstream-version-fixed: v5.6.1",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:podman-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-9566",
"url": "https://www.suse.com/security/cve/CVE-2025-9566"
},
{
"category": "external",
"summary": "SUSE Bug 1249154 for CVE-2025-9566",
"url": "https://bugzilla.suse.com/1249154"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:podman-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:podman-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-docker-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podman-remote-5.7.1-1.1.x86_64",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.aarch64",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.ppc64le",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.s390x",
"openSUSE Tumbleweed:podmansh-5.7.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-9566"
}
]
}
OPENSUSE-SU-2025:20072-1
Vulnerability from csaf_opensuse - Published: 2025-11-20 16:44 - Updated: 2025-11-20 16:44Summary
Security update for runc
Severity
Important
Notes
Title of the patch: Security update for runc
Description of the patch: This update for runc fixes the following issues:
- Update to runc v1.3.3:
* CVE-2025-31133, CVE-2025-52565, CVE-2025-52881: Fixed container breakouts by bypassing
runc's restrictions for writing to arbitrary /proc files (bsc#1252232)
Patchnames: openSUSE-Leap-16.0-46
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:runc-1.3.3-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:runc-1.3.3-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:runc-1.3.3-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:runc-1.3.3-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:runc-1.3.3-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:runc-1.3.3-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:runc-1.3.3-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:runc-1.3.3-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:runc-1.3.3-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:runc-1.3.3-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:runc-1.3.3-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:runc-1.3.3-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
16 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for runc",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for runc fixes the following issues:\n\n- Update to runc v1.3.3:\n * CVE-2025-31133, CVE-2025-52565, CVE-2025-52881: Fixed container breakouts by bypassing\n runc\u0027s restrictions for writing to arbitrary /proc files (bsc#1252232)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-46",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_20072-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1252110",
"url": "https://bugzilla.suse.com/1252110"
},
{
"category": "self",
"summary": "SUSE Bug 1252232",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-31133 page",
"url": "https://www.suse.com/security/cve/CVE-2025-31133/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-52565 page",
"url": "https://www.suse.com/security/cve/CVE-2025-52565/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-52881 page",
"url": "https://www.suse.com/security/cve/CVE-2025-52881/"
}
],
"title": "Security update for runc",
"tracking": {
"current_release_date": "2025-11-20T16:44:20Z",
"generator": {
"date": "2025-11-20T16:44:20Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:20072-1",
"initial_release_date": "2025-11-20T16:44:20Z",
"revision_history": [
{
"date": "2025-11-20T16:44:20Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "runc-1.3.3-160000.1.1.aarch64",
"product": {
"name": "runc-1.3.3-160000.1.1.aarch64",
"product_id": "runc-1.3.3-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "runc-1.3.3-160000.1.1.ppc64le",
"product": {
"name": "runc-1.3.3-160000.1.1.ppc64le",
"product_id": "runc-1.3.3-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "runc-1.3.3-160000.1.1.s390x",
"product": {
"name": "runc-1.3.3-160000.1.1.s390x",
"product_id": "runc-1.3.3-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "runc-1.3.3-160000.1.1.x86_64",
"product": {
"name": "runc-1.3.3-160000.1.1.x86_64",
"product_id": "runc-1.3.3-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.3.3-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:runc-1.3.3-160000.1.1.aarch64"
},
"product_reference": "runc-1.3.3-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.3.3-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:runc-1.3.3-160000.1.1.ppc64le"
},
"product_reference": "runc-1.3.3-160000.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.3.3-160000.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:runc-1.3.3-160000.1.1.s390x"
},
"product_reference": "runc-1.3.3-160000.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.3.3-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:runc-1.3.3-160000.1.1.x86_64"
},
"product_reference": "runc-1.3.3-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-31133",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-31133"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.s390x",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-31133",
"url": "https://www.suse.com/security/cve/CVE-2025-31133"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-31133",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-31133",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.s390x",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.s390x",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-20T16:44:20Z",
"details": "important"
}
],
"title": "CVE-2025-31133"
},
{
"cve": "CVE-2025-52565",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-52565"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.s390x",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-52565",
"url": "https://www.suse.com/security/cve/CVE-2025-52565"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-52565",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-52565",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.s390x",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.s390x",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-20T16:44:20Z",
"details": "important"
}
],
"title": "CVE-2025-52565"
},
{
"cve": "CVE-2025-52881",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-52881"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.s390x",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-52881",
"url": "https://www.suse.com/security/cve/CVE-2025-52881"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.s390x",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.s390x",
"openSUSE Leap 16.0:runc-1.3.3-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-20T16:44:20Z",
"details": "important"
}
],
"title": "CVE-2025-52881"
}
]
}
OPENSUSE-SU-2026:20072-1
Vulnerability from csaf_opensuse - Published: 2026-01-21 11:06 - Updated: 2026-01-21 11:06Summary
Security update for podman
Severity
Important
Notes
Title of the patch: Security update for podman
Description of the patch: This update for podman fixes the following issues:
- CVE-2025-31133,CVE-2025-52565,CVE-2025-52881: container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files (bsc#1252376).
- CVE-2025-9566: kube play command may overwrite host files (bsc#1249154).
Patchnames: openSUSE-Leap-16.0-161
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
19 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for podman",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for podman fixes the following issues:\n\n- CVE-2025-31133,CVE-2025-52565,CVE-2025-52881: container breakouts by bypassing runc\u0027s restrictions for writing to arbitrary /proc files (bsc#1252376).\n- CVE-2025-9566: kube play command may overwrite host files (bsc#1249154).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-161",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20072-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1249154",
"url": "https://bugzilla.suse.com/1249154"
},
{
"category": "self",
"summary": "SUSE Bug 1252376",
"url": "https://bugzilla.suse.com/1252376"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-31133 page",
"url": "https://www.suse.com/security/cve/CVE-2025-31133/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-52565 page",
"url": "https://www.suse.com/security/cve/CVE-2025-52565/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-52881 page",
"url": "https://www.suse.com/security/cve/CVE-2025-52881/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-9566 page",
"url": "https://www.suse.com/security/cve/CVE-2025-9566/"
}
],
"title": "Security update for podman",
"tracking": {
"current_release_date": "2026-01-21T11:06:30Z",
"generator": {
"date": "2026-01-21T11:06:30Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20072-1",
"initial_release_date": "2026-01-21T11:06:30Z",
"revision_history": [
{
"date": "2026-01-21T11:06:30Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "podman-5.4.2-160000.3.1.aarch64",
"product": {
"name": "podman-5.4.2-160000.3.1.aarch64",
"product_id": "podman-5.4.2-160000.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "podman-remote-5.4.2-160000.3.1.aarch64",
"product": {
"name": "podman-remote-5.4.2-160000.3.1.aarch64",
"product_id": "podman-remote-5.4.2-160000.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "podmansh-5.4.2-160000.3.1.aarch64",
"product": {
"name": "podmansh-5.4.2-160000.3.1.aarch64",
"product_id": "podmansh-5.4.2-160000.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-docker-5.4.2-160000.3.1.noarch",
"product": {
"name": "podman-docker-5.4.2-160000.3.1.noarch",
"product_id": "podman-docker-5.4.2-160000.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-5.4.2-160000.3.1.ppc64le",
"product": {
"name": "podman-5.4.2-160000.3.1.ppc64le",
"product_id": "podman-5.4.2-160000.3.1.ppc64le"
}
},
{
"category": "product_version",
"name": "podman-remote-5.4.2-160000.3.1.ppc64le",
"product": {
"name": "podman-remote-5.4.2-160000.3.1.ppc64le",
"product_id": "podman-remote-5.4.2-160000.3.1.ppc64le"
}
},
{
"category": "product_version",
"name": "podmansh-5.4.2-160000.3.1.ppc64le",
"product": {
"name": "podmansh-5.4.2-160000.3.1.ppc64le",
"product_id": "podmansh-5.4.2-160000.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-5.4.2-160000.3.1.s390x",
"product": {
"name": "podman-5.4.2-160000.3.1.s390x",
"product_id": "podman-5.4.2-160000.3.1.s390x"
}
},
{
"category": "product_version",
"name": "podman-remote-5.4.2-160000.3.1.s390x",
"product": {
"name": "podman-remote-5.4.2-160000.3.1.s390x",
"product_id": "podman-remote-5.4.2-160000.3.1.s390x"
}
},
{
"category": "product_version",
"name": "podmansh-5.4.2-160000.3.1.s390x",
"product": {
"name": "podmansh-5.4.2-160000.3.1.s390x",
"product_id": "podmansh-5.4.2-160000.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-5.4.2-160000.3.1.x86_64",
"product": {
"name": "podman-5.4.2-160000.3.1.x86_64",
"product_id": "podman-5.4.2-160000.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "podman-remote-5.4.2-160000.3.1.x86_64",
"product": {
"name": "podman-remote-5.4.2-160000.3.1.x86_64",
"product_id": "podman-remote-5.4.2-160000.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "podmansh-5.4.2-160000.3.1.x86_64",
"product": {
"name": "podmansh-5.4.2-160000.3.1.x86_64",
"product_id": "podmansh-5.4.2-160000.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-5.4.2-160000.3.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64"
},
"product_reference": "podman-5.4.2-160000.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-5.4.2-160000.3.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le"
},
"product_reference": "podman-5.4.2-160000.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-5.4.2-160000.3.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x"
},
"product_reference": "podman-5.4.2-160000.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-5.4.2-160000.3.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64"
},
"product_reference": "podman-5.4.2-160000.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-docker-5.4.2-160000.3.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch"
},
"product_reference": "podman-docker-5.4.2-160000.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-5.4.2-160000.3.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64"
},
"product_reference": "podman-remote-5.4.2-160000.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-5.4.2-160000.3.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le"
},
"product_reference": "podman-remote-5.4.2-160000.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-5.4.2-160000.3.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x"
},
"product_reference": "podman-remote-5.4.2-160000.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-5.4.2-160000.3.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64"
},
"product_reference": "podman-remote-5.4.2-160000.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podmansh-5.4.2-160000.3.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64"
},
"product_reference": "podmansh-5.4.2-160000.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podmansh-5.4.2-160000.3.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le"
},
"product_reference": "podmansh-5.4.2-160000.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podmansh-5.4.2-160000.3.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x"
},
"product_reference": "podmansh-5.4.2-160000.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podmansh-5.4.2-160000.3.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64"
},
"product_reference": "podmansh-5.4.2-160000.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-31133",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-31133"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-31133",
"url": "https://www.suse.com/security/cve/CVE-2025-31133"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-31133",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-31133",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-21T11:06:30Z",
"details": "important"
}
],
"title": "CVE-2025-31133"
},
{
"cve": "CVE-2025-52565",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-52565"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-52565",
"url": "https://www.suse.com/security/cve/CVE-2025-52565"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-52565",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-52565",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-21T11:06:30Z",
"details": "important"
}
],
"title": "CVE-2025-52565"
},
{
"cve": "CVE-2025-52881",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-52881"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-52881",
"url": "https://www.suse.com/security/cve/CVE-2025-52881"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-21T11:06:30Z",
"details": "important"
}
],
"title": "CVE-2025-52881"
},
{
"cve": "CVE-2025-9566",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-9566"
}
],
"notes": [
{
"category": "general",
"text": "There\u0027s a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file.\n\nBinary-Affected: podman\nUpstream-version-introduced: v4.0.0\nUpstream-version-fixed: v5.6.1",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-9566",
"url": "https://www.suse.com/security/cve/CVE-2025-9566"
},
{
"category": "external",
"summary": "SUSE Bug 1249154 for CVE-2025-9566",
"url": "https://bugzilla.suse.com/1249154"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podman-docker-5.4.2-160000.3.1.noarch",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podman-remote-5.4.2-160000.3.1.x86_64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.aarch64",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.ppc64le",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.s390x",
"openSUSE Leap 16.0:podmansh-5.4.2-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-21T11:06:30Z",
"details": "important"
}
],
"title": "CVE-2025-9566"
}
]
}
OPENSUSE-SU-2026:20080-1
Vulnerability from csaf_opensuse - Published: 2026-01-22 13:00 - Updated: 2026-01-22 13:00Summary
Security update for buildah
Severity
Important
Notes
Title of the patch: Security update for buildah
Description of the patch: This update for buildah fixes the following issues:
- CVE-2025-47914: golang.org/x/crypto/ssh/agent: Fixed non validated message size causing a panic due to an out
of bounds read (bsc#1254054)
- CVE-2025-47913: golang.org/x/crypto/ssh/agent: Fixed client process termination when receiving an unexpected
message type in response to a key listing or signing request (bsc#1253598)
- CVE-2025-31133,CVE-2025-52565,CVE-2025-52881: Fixed container breakouts by bypassing runc's restrictions for writing to arbitrary /proc
files (bsc#1253096)
Other fixes:
- Updated to version 1.39.5.
Patchnames: openSUSE-Leap-16.0-169
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
23 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for buildah",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for buildah fixes the following issues:\n\n- CVE-2025-47914: golang.org/x/crypto/ssh/agent: Fixed non validated message size causing a panic due to an out\n of bounds read (bsc#1254054)\n- CVE-2025-47913: golang.org/x/crypto/ssh/agent: Fixed client process termination when receiving an unexpected\n message type in response to a key listing or signing request (bsc#1253598)\n- CVE-2025-31133,CVE-2025-52565,CVE-2025-52881: Fixed container breakouts by bypassing runc\u0027s restrictions for writing to arbitrary /proc\n files (bsc#1253096)\n\nOther fixes:\n\n- Updated to version 1.39.5.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-169",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20080-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1253096",
"url": "https://bugzilla.suse.com/1253096"
},
{
"category": "self",
"summary": "SUSE Bug 1253598",
"url": "https://bugzilla.suse.com/1253598"
},
{
"category": "self",
"summary": "SUSE Bug 1254054",
"url": "https://bugzilla.suse.com/1254054"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-31133 page",
"url": "https://www.suse.com/security/cve/CVE-2025-31133/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47913 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47913/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47914 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47914/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-52565 page",
"url": "https://www.suse.com/security/cve/CVE-2025-52565/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-52881 page",
"url": "https://www.suse.com/security/cve/CVE-2025-52881/"
}
],
"title": "Security update for buildah",
"tracking": {
"current_release_date": "2026-01-22T13:00:13Z",
"generator": {
"date": "2026-01-22T13:00:13Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20080-1",
"initial_release_date": "2026-01-22T13:00:13Z",
"revision_history": [
{
"date": "2026-01-22T13:00:13Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "buildah-1.39.5-160000.1.1.aarch64",
"product": {
"name": "buildah-1.39.5-160000.1.1.aarch64",
"product_id": "buildah-1.39.5-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-1.39.5-160000.1.1.ppc64le",
"product": {
"name": "buildah-1.39.5-160000.1.1.ppc64le",
"product_id": "buildah-1.39.5-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-1.39.5-160000.1.1.s390x",
"product": {
"name": "buildah-1.39.5-160000.1.1.s390x",
"product_id": "buildah-1.39.5-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-1.39.5-160000.1.1.x86_64",
"product": {
"name": "buildah-1.39.5-160000.1.1.x86_64",
"product_id": "buildah-1.39.5-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.39.5-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64"
},
"product_reference": "buildah-1.39.5-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.39.5-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le"
},
"product_reference": "buildah-1.39.5-160000.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.39.5-160000.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x"
},
"product_reference": "buildah-1.39.5-160000.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.39.5-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
},
"product_reference": "buildah-1.39.5-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-31133",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-31133"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container\u0027s /dev/null) was actually a real /dev/null inode when using the container\u0027s /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-31133",
"url": "https://www.suse.com/security/cve/CVE-2025-31133"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-31133",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-31133",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-22T13:00:13Z",
"details": "important"
}
],
"title": "CVE-2025-31133"
},
{
"cve": "CVE-2025-47913",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47913"
}
],
"notes": [
{
"category": "general",
"text": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47913",
"url": "https://www.suse.com/security/cve/CVE-2025-47913"
},
{
"category": "external",
"summary": "SUSE Bug 1253506 for CVE-2025-47913",
"url": "https://bugzilla.suse.com/1253506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-22T13:00:13Z",
"details": "important"
}
],
"title": "CVE-2025-47913"
},
{
"cve": "CVE-2025-47914",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47914"
}
],
"notes": [
{
"category": "general",
"text": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47914",
"url": "https://www.suse.com/security/cve/CVE-2025-47914"
},
{
"category": "external",
"summary": "SUSE Bug 1253967 for CVE-2025-47914",
"url": "https://bugzilla.suse.com/1253967"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-22T13:00:13Z",
"details": "moderate"
}
],
"title": "CVE-2025-47914"
},
{
"cve": "CVE-2025-52565",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-52565"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-52565",
"url": "https://www.suse.com/security/cve/CVE-2025-52565"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-52565",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-52565",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-22T13:00:13Z",
"details": "important"
}
],
"title": "CVE-2025-52565"
},
{
"cve": "CVE-2025-52881",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-52881"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-52881",
"url": "https://www.suse.com/security/cve/CVE-2025-52881"
},
{
"category": "external",
"summary": "SUSE Bug 1252232 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1252232"
},
{
"category": "external",
"summary": "SUSE Bug 1255063 for CVE-2025-52881",
"url": "https://bugzilla.suse.com/1255063"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.aarch64",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.ppc64le",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.s390x",
"openSUSE Leap 16.0:buildah-1.39.5-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-22T13:00:13Z",
"details": "important"
}
],
"title": "CVE-2025-52881"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…