Update module github.com/opencontainers/runc to v1.4.3 [SECURITY]#29008
Merged
Luap99 merged 1 commit intoJun 23, 2026
Merged
Conversation
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Luap99
enabled auto-merge
June 23, 2026 11:14
renovate
Bot
deleted the
renovate/go-github.com-opencontainers-runc-vulnerability
branch
June 23, 2026 11:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.4.2→v1.4.3runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations
CVE-2026-41579 / GHSA-xjvp-4fhw-gc47
More information
Details
Impact
When setting up the container rootfs,
setupPtmxandsetupDevSymlinkscallos.Removeandos.Symlinkwith afilepath.Joinstring which allow an image with/devas a symlink to trick runc into deleting files calledptmxon the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory.Please note that this issue is not exploitable under Docker because it creates a top-level
rolayer that masks any malicious/devsymlink present in the container image (this is also done without mounting the lower layers so there is no opportunity for the malicious/devsymlink to trick it into resolving to some other path). Unfortunately, Podman and containerd† do not do this and so users using those higher-level runtimes with runc can be exploited via a malicious image.This issue mirrors a somewhat similar issue in crun, which was also published recently.
† Actually, at the time the issue was analysed, containerd had dead code that implemented this feature but the implementation contained several security issues that would arguably have made it more exploitable than in runc. Luckily, the code appears to have never been used (at least since 2017) and the code has since been removed.
Mitigating Factors
There are a few mitigating factors about this issue which reduce the impact for most users quite significantly, and is the reason why we decided to release the fix publicly without an embargo.
While the deletion of
ptmxseems like a significant issue, in practice it is quite limited. Notably,devptsdoes not permit you to unlink/dev/pts/ptmxregardless of privileges and so it is not a usable target for this attack. Additionally, while/dev/ptmxcan be unlinked‡, trying to use an image with a symlink from/devto/devwill cause runc will return an error before it reaches the buggy code (it correctly detects a symlink loop while setting up the mount target and the code correctly scopes the lookup inside the container). Thus, the only files calledptmxthat are guaranteed to exist on the system cannot actually be removed by this bug and so only some user file that happens to have that specific name could be deleted, which seems fairly unlikely to happen on real systems.As for the issue of symlinks, again the impact is likely quite limited. While the creation of arbitrary symlinks could be used to create drop-in files for system services (and thus lead to a container breakout), the hardcoded set of symlink names and targets that this bug allows you to create on the host make it quite unlikely that you would be able to do much more than pollute the host system with dummy symlinks. Here is the complete list of symlinks that can be created with this attack:
core→/proc/kcorefd→/proc/self/fd/ptmx→pts/ptmxstdin→/proc/self/fd/0stdout→/proc/self/fd/1stderr→/proc/self/fd/2Note that none of these symlinks are likely to point to user-controlled data -- the
/proc/self/fd/$nsymlinks are all properties of the process accessing them (so privileged processes will only see the state they were spawned with) and thepts/ptmxsymlink is almost certainly in the same privilege scope as the directory the symlink itself is in. It seems the only somewhat plausible impact would be that a service could return an error when trying to parse one of these symlinks and thus treat it as an invalid configuration file. How arbitrary processes deal with this situation is a bit hard to analyse, but most daemons require configuration files to have certain suffixes (such as.conf) so it's not really clear how large the impact is in practice and it seems there are a few barriers to clear to use this to cause a DoS or other problems.‡ This would actually be quite problematic if it could occur because
glibcseemingly only attempts to use/dev/ptmxwhen creating new terminals and thus most terminal managers (includingtmux) and shell tools (includingsudo-- but notsu) would fail to start and thus bring the system to a halt.setupPtmxdoes add a symlink to/dev/pts/ptmxafterwards but on some systems the mode of the host/dev/pts/ptmxis set to0o000which would still cause the same DoS issue.Patches
This issue has been patched in runc 1.3.6, runc 1.4.3, and runc 1.5.0-rc.3.
Workarounds
Using user namespaces restricts this attack fairly significantly such that the attacker can only create/delete inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual user on the host (such as with rootless containers that don't use
/etc/sub[ug]id), this in practice means that an attacker would only be able to create or delete inodes in world-writable directories.LSMs can restrict the scope of where in the host filesystem runc can be tricked into operating on, though how much this helps is questionable. The default
container_runtime_tSELinux label rules (or custom AppArmor rules for the hostrunccontext) may restrict the scope where these filesystem operations can operate on, but we have not done an in-depth analysis on the impact of those kinds of LSM protections.Resources
Credits
runc thanks "Davias" for initially finding and reporting this issue. The same underlying issue (with varying levels of completeness) was later reported by Arthur Chan (@arthurscchan from Ada Logics), Junyi Liu (@mosskappa), and Derek Manzella (@Dmanzella).
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
opencontainers/runc (github.com/opencontainers/runc)
v1.4.3: runc 1.4.3 -- "The best way to irritate him is to feed his grandmother to the Ravenous Bugblatter Beast of Traal."Compare Source
This is the third patch release of the 1.4.z series of runc. Among some
performance improvements and bugfixes, it includes a fix for a
low-severity vulnerability (CVE-2026-41579) and users are encouraged to
update. As it was a low-severity vulnerability and it was reported by
multiple people, we decided to release it publicly with NO EMBARGO.
Security
This release includes a fix for the following low-severity security issue:
/devsymlink to havelimited write access to the host filesystem in ways that our analysis
indicates was too limited to be problematic in practice. This bug was very
similar to those fixed in CVE-2025-31133, CVE-2025-52565,
CVE-2025-31133 and was simply missed at the time when we hardened the
rootfs preparation code. We have conducted a deeper audit and not found any
other problematic cases.
Fixed
#5249, #5269, #5287, #5295, #5304)
Changed
maskPaths, runc will now re-use a singletmpfsinstance (which is not writable) to reduce the numbertmpfssuperblocks that need to be reaped when containers die (in particular,
Kubernetes applies masks to per-CPU sysfs directories which get expensive
quickly). (#5275, #5281)
Static Linking Notices
The
runcbinary distributed with this release are statically linked withthe following GNU LGPL-2.1 licensed libraries, with
runcactingas a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following contributors for making this release possible:
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
Configuration
📅 Schedule: (in timezone UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.