CVE-2026-41579: CWE-61: UNIX Symbolic Link (Symlink) Following in opencontainers runc
A symbolic link (symlink) following vulnerability exists in opencontainers runc prior to versions 1.3.6, 1.4.3, and 1.5.0. The issue arises during container root filesystem setup, where malicious container images with /dev as a symlink can cause runc to delete or create files on the host system. This vulnerability is not exploitable under Docker due to Docker's use of a top-level read-only layer that prevents such symlink attacks. The vulnerability has a low severity score and has been fixed in the specified versions.
AI Analysis
Technical Summary
In opencontainers runc versions before 1.3.6, 1.4.3, and 1.5.0, the setupPtmx and setupDevSymlinks functions use os.Remove and os.Symlink with filepath.Join on paths that can be manipulated if the container image contains /dev as a symlink. This allows a malicious image to trick runc into deleting host files named ptmx or creating symlinks with specific names and targets in arbitrary host directories. Docker mitigates this risk by applying a top-level read-only layer masking any malicious /dev symlink, but other container runtimes built on runc may remain vulnerable. The issue is tracked as CWE-61 (Improper Handling of Symbolic Links) and has a CVSS v3.1 score of 3.3 (low).
Potential Impact
The vulnerability can lead to limited integrity impact by allowing deletion or creation of files on the host filesystem during container setup. There is no confidentiality or availability impact reported. Exploitation requires local access and user interaction, and is mitigated in Docker environments. Other container runtimes using vulnerable runc versions may be exposed to this risk.
Mitigation Recommendations
Upgrade runc to version 1.3.6, 1.4.3, or 1.5.0 or later where this issue is fixed. If using Docker, this vulnerability is not exploitable due to Docker's read-only layer protection. For other container runtimes built on runc, ensure they use patched runc versions to mitigate the risk.
CVE-2026-41579: CWE-61: UNIX Symbolic Link (Symlink) Following in opencontainers runc
Description
A symbolic link (symlink) following vulnerability exists in opencontainers runc prior to versions 1.3.6, 1.4.3, and 1.5.0. The issue arises during container root filesystem setup, where malicious container images with /dev as a symlink can cause runc to delete or create files on the host system. This vulnerability is not exploitable under Docker due to Docker's use of a top-level read-only layer that prevents such symlink attacks. The vulnerability has a low severity score and has been fixed in the specified versions.
CVSS v3.1
Score 3.3low
Affected software
pkg:github/opencontainers/runcRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In opencontainers runc versions before 1.3.6, 1.4.3, and 1.5.0, the setupPtmx and setupDevSymlinks functions use os.Remove and os.Symlink with filepath.Join on paths that can be manipulated if the container image contains /dev as a symlink. This allows a malicious image to trick runc into deleting host files named ptmx or creating symlinks with specific names and targets in arbitrary host directories. Docker mitigates this risk by applying a top-level read-only layer masking any malicious /dev symlink, but other container runtimes built on runc may remain vulnerable. The issue is tracked as CWE-61 (Improper Handling of Symbolic Links) and has a CVSS v3.1 score of 3.3 (low).
Potential Impact
The vulnerability can lead to limited integrity impact by allowing deletion or creation of files on the host filesystem during container setup. There is no confidentiality or availability impact reported. Exploitation requires local access and user interaction, and is mitigated in Docker environments. Other container runtimes using vulnerable runc versions may be exposed to this risk.
Mitigation Recommendations
Upgrade runc to version 1.3.6, 1.4.3, or 1.5.0 or later where this issue is fixed. If using Docker, this vulnerability is not exploitable due to Docker's read-only layer protection. For other container runtimes built on runc, ensure they use patched runc versions to mitigate the risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-21T14:15:21.958Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a446bac27e9c79719c24386
Added to database: 07/01/2026, 01:21:48 UTC
Last enriched: 07/01/2026, 01:37:55 UTC
Last updated: 07/01/2026, 01:48:12 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.