Description
runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.
References (3)
Core 3
Core References
Vendor Advisory
https://security.netapp.com/advisory/ntap-20241206-0005/
Patch, Vendor Advisory x_refsource_confirm
https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c
Patch x_refsource_misc
https://github.com/opencontainers/runc/pull/3785
Scores
CVSS v3
6.1
EPSS
0.0034
EPSS Percentile
25.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-281
CWE-59
Status
published
Products (2)
linuxfoundation/runc
< 1.1.5
opencontainers/runc
0 - 1.1.5Go
Published
Mar 29, 2023
Tracked Since
Feb 18, 2026