x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-cgrx-mc8f-2prm

[GoVulnBot]

Advisory GHSA-cgrx-mc8f-2prm references a vulnerability in the following Go modules:

Module
github.com/opencontainers/runc

Description:

Impact

This attack is primarily a more sophisticated version of CVE-2019-19921, which was a flaw which allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation runc applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when runc writes LSM labels that those labels are actual procfs files.

Rather than using a fake tmpfs file for /proc/self/attr/<label>, an attacker could instead (through various me...

References:

• ADVISORY: GHSA-cgrx-mc8f-2prm
• ADVISORY: GHSA-cgrx-mc8f-2prm
• FIX: opencontainers/runc@3f92552
• FIX: opencontainers/runc@435cc81
• FIX: opencontainers/runc@44a0fcf
• FIX: opencontainers/runc@4b37cd9
• FIX: opencontainers/runc@6fc1914
• FIX: opencontainers/runc@77889b5
• FIX: opencontainers/runc@77d217c
• FIX: opencontainers/runc@a41366e
• FIX: opencontainers/runc@b3dd1bc
• FIX: opencontainers/runc@d40b343
• FIX: opencontainers/runc@d61fd29
• FIX: opencontainers/runc@db19bbe
• FIX: opencontainers/runc@ed6b169
• FIX: opencontainers/runc@fdcc9d3
• FIX: opencontainers/runc@ff6fe13
• FIX: opencontainers/runc@ff94f99
• FIX: selinux: migrate to pathrs-lite procfs API opencontainers/selinux#237
• WEB: GHSA-fh74-hm69-rqjw
• WEB: https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs
• WEB: https://youtu.be/tGseJW_uBB8
• WEB: https://youtu.be/y1PaBzxwRWQ

Cross references:

• github.com/opencontainers/runc appears in 14 other report(s):
  • data/reports/GO-2021-0070.yaml (dummy issue #70)
  • data/reports/GO-2021-0085.yaml (dummy issue #85)
  • data/reports/GO-2021-0087.yaml (dummy issue #87)
  • data/reports/GO-2022-0274.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2021-43784 #274)
  • data/reports/GO-2022-0396.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-g54h-m393-cpwq #396)
  • data/reports/GO-2022-0452.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2022-29162 #452)
  • data/reports/GO-2022-0835.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-gp4j-w3vj-7299 #835)
  • data/reports/GO-2022-0914.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2021-30465, GHSA-c3xm-pvg7-gh7r #914)
  • data/reports/GO-2023-1627.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-vpvm-3wq2-2wvm #1627)
  • data/reports/GO-2023-1682.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2023-25809 #1682)
  • data/reports/GO-2023-1683.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2023-28642 #1683)
  • data/reports/GO-2024-2491.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2024-21626 #2491)
  • data/reports/GO-2024-3110.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-jfvp-7x6p-h2pv #3110)
  • data/reports/GO-2025-3543.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2025-27612 #3543)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/opencontainers/runc
      non_go_versions:
        - introduced: TODO (earliest fixed "1.4.0-rc.3", vuln range ">= 1.4.0-rc.1, <= 1.4.0-rc.2")
        - introduced: TODO (earliest fixed "1.3.3", vuln range ">= 1.3.0-rc.1, <= 1.3.2")
        - introduced: TODO (earliest fixed "1.2.8", vuln range "<= 1.2.7")
      vulnerable_at: 1.3.3
summary: |-
    runc container escape and denial of service due to arbitrary write gadgets and
    procfs write redirects in github.com/opencontainers/runc
cves:
    - CVE-2025-52881
ghsas:
    - GHSA-cgrx-mc8f-2prm
references:
    - advisory: https://github.com/advisories/GHSA-cgrx-mc8f-2prm
    - advisory: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
    - fix: https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557
    - fix: https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d
    - fix: https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58
    - fix: https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6
    - fix: https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f
    - fix: https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544
    - fix: https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db
    - fix: https://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322
    - fix: https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28
    - fix: https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2
    - fix: https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165
    - fix: https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64
    - fix: https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1
    - fix: https://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3
    - fix: https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51
    - fix: https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480
    - fix: https://github.com/opencontainers/selinux/pull/237
    - web: https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw
    - web: https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs
    - web: https://youtu.be/tGseJW_uBB8
    - web: https://youtu.be/y1PaBzxwRWQ
notes:
    - fix: 'module merge error: could not merge versions of module github.com/opencontainers/runc: invalid or non-canonical semver version (found TODO (earliest fixed "1.4.0-rc.3", vuln range ">= 1.4.0-rc.1, <= 1.4.0-rc.2"))'
source:
    id: GHSA-cgrx-mc8f-2prm
    created: 2025-11-05T19:01:18.61286102Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/721400 mentions this issue: data/reports: add 5 reports