CVE-2025-31133

Publication date 5 November 2025

Last updated 12 November 2025

Ubuntu priority

High

Why this priority?

Description

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Read the notes from the security team

Why is this CVE high priority?

runc developers have rated this as being high severity

Learn more about Ubuntu priority

Status

Package Ubuntu Release Status
runc 25.10 questing Ignored backport too intrusive
25.04 plucky Ignored backport too intrusive
24.04 LTS noble Ignored backport too intrusive
22.04 LTS jammy Ignored backport too intrusive
20.04 LTS focal Ignored backport too intrusive
18.04 LTS bionic Ignored backport too intrusive
16.04 LTS xenial Ignored backport too intrusive
runc-app 25.10 questing
Fixed 1.3.3-0ubuntu1~25.10.2
25.04 plucky
Fixed 1.3.3-0ubuntu1~25.04.2
24.04 LTS noble
Fixed 1.3.3-0ubuntu1~24.04.2
22.04 LTS jammy
Fixed 1.3.3-0ubuntu1~22.04.2
20.04 LTS focal Ignored backport too intrusive
runc-stable 25.10 questing
Fixed 1.3.3-0ubuntu1~25.10.2
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release

Notes

sbeattie

src:runc-app provides the runc binaries, src:runc provides golang-github-opencontainers-runc-dev in older releases. See LP: #2022390 and LP: #2040460 for details.

References

Related Ubuntu Security Notices (USN)

Other references