Bottlerocket: bottlerocket-runc, runc: security update to 1.2.7

high Tenable Cloud Security Plugin ID 435981

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- runc is a CLI tool for spawning and running containers according to the OCI specification. In versions
1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs
files through the use of a racing container with shared mounts (we have also verified this attack is
possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering
parallel execution of containers with custom shared mounts configured). This redirect could be through
symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the
mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused
runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in
versions 1.2.8, 1.3.3, and 1.4.0-rc.3. (CVE-2025-52881)

Plugin Details

Severity: High

ID: 435981

Version: Revision 1.7

Type: Local

Published: 11/7/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.7

Percentile: 99.07

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.7

Vector: CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-52881

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.3

Threat Score: 5.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 11/5/2025

Reference Information

CVE: CVE-2025-52881