CVE-2025-52565 is a vulnerability in the opencontainers runc tool, which is widely used for spawning and running OCI-compliant containers. The flaw exists in versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2. It stems from insufficient checks during the bind-mounting process of /dev/pts/$n to /dev/console inside containers. Specifically, attackers can exploit symbolic link (symlink) following weaknesses (CWE-61) and race conditions (CWE-363) to trick runc into bind-mounting paths that are normally read-only or masked onto writable paths controlled by the attacker. This manipulation occurs after the pivot_root system call, preventing direct host file writes but enabling indirect attacks. By gaining a writable copy of sensitive kernel interfaces such as /proc/sysrq-trigger, attackers can cause denial of service on the host or container. Alternatively, by modifying /proc/sys/kernel/core_pattern, attackers can achieve container breakout, escaping container isolation. The vulnerability requires local attacker presence with user interaction but no elevated privileges. The CVSS 4.0 score is 8.4 (high), reflecting the significant impact on integrity and availability with low attack complexity. The issue is fixed in runc versions 1.2.8, 1.3.3, and 1.4.0-rc.3. No known exploits are currently in the wild, but the similarity to CVE-2025-31133 indicates a credible attack vector. Organizations relying on runc for container orchestration should urgently update to patched versions to mitigate risks of container breakout and denial of service.

For European organizations, this vulnerability poses a significant risk to containerized environments, which are widely adopted across industries including finance, healthcare, and critical infrastructure. Exploitation can lead to container breakout, undermining the isolation guarantees of containerization and potentially exposing sensitive data or internal systems. Denial of service attacks could disrupt critical services, impacting business continuity and compliance with regulations such as GDPR and NIS Directive. The ability to manipulate kernel interfaces indirectly could also facilitate further privilege escalation or lateral movement within networks. Given the prevalence of runc as a core container runtime in Kubernetes and Docker environments, the scope of affected systems is broad, increasing the potential impact. Organizations with multi-tenant or cloud environments are particularly at risk, as attackers could leverage this vulnerability to compromise shared infrastructure. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, especially in environments with untrusted users or compromised containers.

European organizations should immediately upgrade runc to versions 1.2.8, 1.3.3, or 1.4.0-rc.3 or later to remediate this vulnerability. Beyond patching, implement strict container runtime security policies that limit bind-mount usage and restrict access to sensitive device files such as /dev/pts and /dev/console. Employ container security tools that monitor and enforce least privilege principles, preventing containers from mounting or accessing critical host paths. Use kernel security modules like SELinux or AppArmor to confine container processes and restrict their ability to manipulate /proc filesystem entries. Regularly audit container configurations and runtime parameters for unsafe bind mounts or symlink usage. Incorporate runtime detection tools that can identify anomalous bind-mount operations or attempts to exploit symlink vulnerabilities. For environments with multi-tenant containers, isolate workloads using namespaces and cgroups to minimize the blast radius of potential container escapes. Finally, maintain robust logging and alerting for container runtime events to enable rapid detection and response to exploitation attempts.