The runC tool, a lightweight container runtime implementation, contains multiple security vulnerabilities: CVE-2025-31133 involves container escape via 'masked path' abuse due to mount race conditions; CVE-2025-52565 involves container escape through malicious configuration exploiting /dev/console mount and related race conditions; CVE-2025-52881 involves container escape and denial of service via arbitrary write gadgets and procfs write redirects; CVE-2025-65637 affects the github.com/sirupsen/logrus library causing denial of service due to large single-line payloads. These vulnerabilities impact container isolation and stability. Red Hat has issued an important security advisory (RHSA-2026:4531) with updated packages for Red Hat Enterprise Linux 9.2 and related variants to address these issues.

These vulnerabilities can lead to container escape, allowing an attacker to break out of the container environment, potentially gaining unauthorized access to the host system. Additionally, denial-of-service conditions may be triggered, affecting system availability. The issues affect container runtime security and could compromise the isolation guarantees expected from containerized environments. No known exploits in the wild have been reported at this time.

Red Hat has released updated runC packages for Red Hat Enterprise Linux 9.2 and related variants that address these vulnerabilities. Users should apply the security update as described in the Red Hat advisory RHSA-2026:4531 and the referenced article https://access.redhat.com/articles/11258. Applying these official patches is the recommended and effective mitigation. No additional vendor-recommended mitigations or workarounds are indicated.