Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-41579: CWE-61: UNIX Symbolic Link (Symlink) Following in opencontainers runc

0
Low
VulnerabilityCVE-2026-41579cvecve-2026-41579cwe-61
Published: 07/01/2026 (07/01/2026, 00:02:08 UTC)
Source: CVE Database V5
Vendor/Project: opencontainers
Product: runc

Description

A symbolic link (symlink) following vulnerability exists in opencontainers runc prior to versions 1.3.6, 1.4.3, and 1.5.0. The issue arises during container root filesystem setup, where malicious container images with /dev as a symlink can cause runc to delete or create files on the host system. This vulnerability is not exploitable under Docker due to Docker's use of a top-level read-only layer that prevents such symlink attacks. The vulnerability has a low severity score and has been fixed in the specified versions.

CVSS v3.1

Score 3.3low

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected software

GitHub Actionsmore threats →ai
opencontainers/runc
pkg:github/opencontainers/runc
Affected versions
<1.3.6<1.4.3<1.5.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/01/2026, 01:37:55 UTC

Technical Analysis

In opencontainers runc versions before 1.3.6, 1.4.3, and 1.5.0, the setupPtmx and setupDevSymlinks functions use os.Remove and os.Symlink with filepath.Join on paths that can be manipulated if the container image contains /dev as a symlink. This allows a malicious image to trick runc into deleting host files named ptmx or creating symlinks with specific names and targets in arbitrary host directories. Docker mitigates this risk by applying a top-level read-only layer masking any malicious /dev symlink, but other container runtimes built on runc may remain vulnerable. The issue is tracked as CWE-61 (Improper Handling of Symbolic Links) and has a CVSS v3.1 score of 3.3 (low).

Potential Impact

The vulnerability can lead to limited integrity impact by allowing deletion or creation of files on the host filesystem during container setup. There is no confidentiality or availability impact reported. Exploitation requires local access and user interaction, and is mitigated in Docker environments. Other container runtimes using vulnerable runc versions may be exposed to this risk.

Mitigation Recommendations

Upgrade runc to version 1.3.6, 1.4.3, or 1.5.0 or later where this issue is fixed. If using Docker, this vulnerability is not exploitable due to Docker's read-only layer protection. For other container runtimes built on runc, ensure they use patched runc versions to mitigate the risk.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
GitHub_M
Date Reserved
2026-04-21T14:15:21.958Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null

Threat ID: 6a446bac27e9c79719c24386

Added to database: 07/01/2026, 01:21:48 UTC

Last enriched: 07/01/2026, 01:37:55 UTC

Last updated: 07/01/2026, 01:48:12 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses