This article explains three high-severity vulnerabilities identified in the runc library. On November 5th and 6th, 2025, three high-severity CVEs (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881) were identified affecting the low-level container runtime library that underpins most container platforms, including Docker, containerd, and Kubernetes. These vulnerabilities allow a malicious container to break out of the container boundary and access the host machine, potentially granting execution access on the host machine itself. This is achieved without touching the kernel or hypervisor, utilizing runc's access to the filesystem.
Scope
Affected Versions: All versions of runc before v1.4.0-rc.3
Attack Vector: A malicious container launched in a container environment.
To mitigate this vulnerability, users of runc, containerd, Docker, Kubernetes, or any container platform that uses runc should immediately update to runc version v1.4.0-rc3 or later.
Lacework FortiCNAPP is tracking this vulnerability across all ecosystems and will detect affected hosts via the Vulnerability Management module.
