This advisory covers security fixes in Red Hat OpenShift Container Platform 4.14.61 for three vulnerabilities in the runc container runtime. CVE-2025-31133 involves container escape via 'masked path' abuse due to mount race conditions. CVE-2025-52565 allows container escape through malicious configuration exploiting /dev/console mount races. CVE-2025-52881 concerns container escape and denial of service caused by arbitrary write gadgets and procfs write redirects affecting opencontainers/selinux. These vulnerabilities could allow an attacker to escape container isolation or cause denial of service. Updated RPM packages and container images have been released to address these issues. Users are advised to upgrade using the OpenShift CLI or web console following Red Hat's documented procedures.

The vulnerabilities impact container isolation in Red Hat OpenShift Container Platform 4.14, potentially allowing attackers to escape container boundaries or cause denial of service. This could compromise the security of containerized workloads by enabling unauthorized access or disruption. The advisory rates the security impact as Important (high severity). There are no known exploits in the wild at the time of the advisory.

Red Hat has released updated RPM packages and container images in OpenShift Container Platform 4.14.61 that fix these vulnerabilities. All users of OpenShift Container Platform 4.14 are strongly advised to upgrade to these updated packages and images as soon as they are available in the appropriate release channel. Upgrades can be performed using the OpenShift CLI (oc) or the web console. Detailed upgrade instructions are provided by Red Hat at https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html-single/updating_clusters/index#updating-cluster-cli. No alternative mitigations are indicated; applying the official updates is required to remediate these issues.