This advisory covers security fixes in Red Hat OpenShift Container Platform 4.16.53 for three vulnerabilities in the runc container runtime. CVE-2025-31133 addresses a container escape via 'masked path' abuse due to mount race conditions. CVE-2025-52565 involves container escape through malicious configuration exploiting /dev/console mount races. CVE-2025-52881 concerns container escape and denial of service caused by arbitrary write gadgets and procfs write redirects in opencontainers/selinux. These issues could allow a container to escape its isolation boundary. The update includes patched container images and RPM packages. Users should upgrade using the OpenShift CLI or web console following Red Hat's documented procedures. The advisory rates the security impact as Important (high severity). No CVSS scores are provided in the advisory.

Successful exploitation of these vulnerabilities could allow an attacker to escape container isolation, potentially gaining unauthorized access to the host system or causing denial of service. This compromises the security guarantees of containerized workloads running on OpenShift Container Platform 4.16. The vulnerabilities affect the runc runtime component used in container management. No known active exploits have been reported so far.

Red Hat has released updated container images and RPM packages as part of OpenShift Container Platform 4.16.53 that fix these vulnerabilities. All users of OpenShift Container Platform 4.16 are strongly advised to upgrade to these updated packages and images as soon as they become available in their release channel. Upgrades can be performed using the OpenShift CLI (oc) or web console. Detailed upgrade instructions are available in Red Hat's official documentation. Patch status is confirmed by the vendor advisory, and applying the update fully mitigates the described vulnerabilities.