Console and Write-Gadget Lurkers: CVE-2025-52565 & CVE-2025-52881
The second vulnerability, tracked as CVE-2025-52565, targets “/dev/console” bind-mount handling. An attacker can replace the target path with a symlink, which will cause runc to bind-mount the wrong target, allowing the attacker to gain write access to procfs paths.
“As with CVE-2025-31133, this happens after pivot_root(2) and so cannot be used to bind-mount host files directly, but an attacker can trick runc into creating a read-write bind-mount of /proc/sys/kernel/core_pattern or /proc/sysrq-trigger, leading to a complete container breakout,” Sarai said, adding that versions 1.0.0-rc3 and later remain vulnerable.
The third flaw (CVE-2025-52881) allows an attacker to bypass Linux Security Modules (LSM) such as SELinux or AppArmor by redirecting writes to procfs files. Once the LSM labels are effectively neutered, writes to host-level procfs become possible, enabling full host compromise.
