runc Console Bind-Mount Vulnerability Leading to Container Escape

A vulnerability in runc, the CLI tool for managing containers, allows an attacker to escape from a container by exploiting the bind-mount of '/dev/pts/$n' to '/dev/console'. This issue is present in runc versions 1.0.0-rc3 prior to 1.2.8, 1.3.0-rc.1 prior to 1.3.2, and 1.4.0-rc.1 prior to 1.4.0-rc.2'. The vulnerability arises from inadequate checks when bind-mounting pseudo-terminal paths to the console inside the container. As a result, an attacker can manipulate runc into mounting paths that should be read-only or masked onto writable locations. This exploitation occurs after the 'pivot_root' operation, preventing direct modification of host files. However, similar to a related vulnerability (CVE-2025-31133), it can lead to a denial-of-service condition on the host or a breakout from the container by providing access to writable copies of critical procfs files, such as '/proc/sysrq-trigger' or '/proc/sys/kernel/core_pattern'.

Impact

Exploitation of this vulnerability allows for unauthorized access to write-sensitive procfs files, potentially leading to a container breakout or a denial-of-service condition on the host or within a container.

Reproduction

The vulnerability can be reproduced by creating a container that allocates a console and then manipulating the '/dev/pts/$n' path to point to a writable location. This can be done by replacing the pseudo-terminal path with a symlink to a location that the container can write to, taking advantage of the fact that the bind-mount occurs before any read-only or masked paths are applied.

Remediation

Users can update to runc versions 1.2.8, 1.3.3, or 1.4.0-rc.3, all of which include patches for this vulnerability.