Impact
A malicious container image that includes a symlink named /dev can trick runc into deleting its local /ptmx file or creating symlinks in arbitrary host directories during root filesystem setup. This flaw allows an attacker to alter or remove critical files on the host, thereby compromising filesystem integrity. The vulnerability stems from insecure file operations using unsafe path joins and is classified under CWE‑61.
Affected Systems
The flaw applies to the opencontainers:runc CLI tool in all releases before 1.3.6, 1.4.0‑rc.1, 1.4.0‑rc.12, and 1.5.0‑rc.1. Updating to runc 1.3.6, 1.4.3, or later 1.5.0 eliminates the issue.
Risk and Exploitability
The CVSS score of 3.3 indicates low severity. EPSS data is unavailable and the vulnerability is not listed in CISA KEV. The attack vector is the inclusion of a malicious /dev symlink in a container image; exploitation requires that runc perform root filesystem setup. While Docker mitigates the flaw by creating a read‑only top‑level layer, runtimes that rely directly on runc remain exposed. Current evidence suggests that the risk to most users is modest but non‑zero, particularly in environments where untrusted images are run with runc or where the container runtime does not impose strict layer restrictions.
OpenCVE Enrichment
Github GHSA