Alpine: multiple runc packages: security update to 1.3.3-r0

high Tenable Cloud Security Plugin ID 435941

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- runc is a CLI tool for spawning and running containers according to the OCI specification. In versions
1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform
sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a
real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an
arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape,
or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
(CVE-2025-31133)

- runc is a CLI tool for spawning and running containers according to the OCI specification. Versions
1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient
checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc
into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker
can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it
attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to
`/dev/console` as configured for all containers that allocate a console). This happens after
`pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with
CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the
attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively).
This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3. (CVE-2025-52565)

- runc is a CLI tool for spawning and running containers according to the OCI specification. In versions
1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs
files through the use of a racing container with shared mounts (we have also verified this attack is
possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering
parallel execution of containers with custom shared mounts configured). This redirect could be through
symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the
mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused
runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in
versions 1.2.8, 1.3.3, and 1.4.0-rc.3. (CVE-2025-52881)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-31133

https://security.alpinelinux.org/vuln/CVE-2025-52565

https://security.alpinelinux.org/vuln/CVE-2025-52881

Plugin Details

Severity: High

ID: 435941

Version: Revision 1.8

Type: Local

Published: 11/6/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.7

Percentile: 99.07

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.7

Vector: CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-52881

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2025-31133

CVSS v4

Risk Factor: High

Base Score: 8.4

Threat Score: 7.1

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

CVSS Score Source: CVE-2025-52565

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 11/5/2025

Reference Information

CVE: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881