CVE-2025-31133

HIGH

runc < 1.2.8, 1.3.0-rc.1-1.3.1, 1.4.0-rc.1-1.4.0-rc.2 - Arbitrary Mount Gadget via Insufficient Bind-Mount Verification

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2025-31133. PoCs published by skynet-f-nvidia, sahar042, C-h4ck-0.

AI-analyzed exploit summary This PoC demonstrates a symlink race condition in runc (CVE-2025-31133) by exploiting the maskedPaths feature to modify /proc/sys/kernel/core_pattern. It uses a background process to rapidly replace /dev/null with a symlink to bypass runc's restrictions.

Description

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Exploits (5)

nomisec WORKING POC 2 stars
by skynet-f-nvidia · poc
https://github.com/skynet-f-nvidia/CVE-2025-31133

This PoC demonstrates a symlink race condition in runc (CVE-2025-31133) by exploiting the maskedPaths feature to modify /proc/sys/kernel/core_pattern. It uses a background process to rapidly replace /dev/null with a symlink to bypass runc's restrictions.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: runc (specific vulnerable versions affected by CVE-2025-31133)
No auth needed
Prerequisites: runc installed · busybox-static available · root or container runtime access
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by sahar042 · poc
https://github.com/sahar042/CVE-2025-31133

This repository contains a functional exploit PoC for CVE-2025-31133, targeting a symlink race condition in runc's maskedPaths feature. The exploit attempts host code execution by manipulating /proc/sys/kernel/core_pattern via a race condition during container startup.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: runc (specific vulnerable versions affected by CVE-2025-31133)
No auth needed
Prerequisites: vulnerable runc version · ability to execute runc commands · container environment setup
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC 1 stars
by C-h4ck-0 · poc
https://github.com/C-h4ck-0/Learn-about-cve-2025-31133-poc

This repository contains a functional proof-of-concept exploit for CVE-2025-31133, a race condition vulnerability in runc that allows bypassing `maskedPaths` protection, potentially leading to container escape. The exploit leverages a timing window during container initialization to write to protected files like `/proc/sys/kernel/core_pattern`.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: runc v1.2.0
No auth needed
Prerequisites: Linux system with root/sudo access · Vulnerable runc version (v1.2.0) · Basic understanding of container runtimes
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by Glitched-Airis · poc
https://github.com/Glitched-Airis/CVE-2025-31133-Compose-Build-Lab

This repository provides a detailed educational lab environment for CVE-2025-31133, focusing on Docker Compose build vulnerabilities. It includes a PaaS simulator, policy checks, and sample projects to demonstrate the vulnerability without shipping a full exploit chain.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Docker Compose and BuildKit
No auth needed
Prerequisites: Docker environment with mounted socket · Isolated lab setup
devstral-2 · analyzed May 12, 2026 Full analysis →
nomisec WORKING POC
by scherepiuk · poc
https://github.com/scherepiuk/container-escape-ebpf

This repository contains a working proof-of-concept exploit for CVE-2025-31133, a container escape vulnerability in runc. The exploit leverages eBPF to manipulate the core_pattern handler, achieving privilege escalation from within a container to the host system.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: runc (versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.2, 1.4.0-rc.1 and 1.4.0-rc.2)
No auth needed
Prerequisites: Unprivileged user access to create containers with runc · Vulnerable version of runc installed on the host
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 7.8
EPSS 0.0002
EPSS Percentile 6.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-61 CWE-363
Status published
Products (3)
linuxfoundation/runc 1.4.0 rc1 (2 CPE variants)
linuxfoundation/runc < 1.2.8
opencontainers/runc 0 - 1.2.8Go
Published Nov 06, 2025
Tracked Since Feb 18, 2026