Console and Write-Gadget Lurkers: CVE-2025-52565 & CVE-2025-52881
The second vulnerability, tracked as CVE-2025-52565, targets “/dev/console” bind-mount dealing with. An attacker can change the goal path with a symlink, which is able to trigger runc to bind-mount the fallacious goal, permitting the attacker to realize write entry to procfs paths.
“As with CVE-2025-31133, this occurs after pivot_root(2) and so can’t be used to bind-mount host recordsdata instantly, however an attacker can trick runc into making a read-write bind-mount of /proc/sys/kernel/core_pattern or /proc/sysrq-trigger, main to a whole container breakout,” Sarai stated, including that variations 1.0.0-rc3 and later stay weak.
The third flaw (CVE-2025-52881) permits an attacker to bypass Linux Safety Modules (LSM) comparable to SELinux or AppArmor by redirecting writes to procfs recordsdata. As soon as the LSM labels are successfully neutered, writes to host-level procfs change into potential, enabling full host compromise.
