{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "upgrade to runc 1.2.8 to fix multiple critical security vulnerabilities:\n- CVE-2024-21626: fix file descriptor leak vulnerability allowing container\n escape\n- CVE-2025-52565: fix container escape with malicious config due to /dev/console\n mount races\n- CVE-2025-31133: fix container escape and denial of service due to masked path\n abuse\n- CVE-2025-52881: fix container escape and denial of service due to procfs\n write redirects\n- remove obsolete CVE-2023-27561_CVE-2023-28642.patch (fixes included in 1.2.8)\n- add no_openssl build tag to prevent use of vendored crypto libraries\n- add runc_dmz_selinux_nocompat build tag for SELinux DMZ feature support\n- add container-selinux >= 2.224.0 dependency for DMZ SELinux feature", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2025/clsa-2025_1763648873.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1763648873", "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1763648873" } ], "tracking": { "current_release_date": "2026-02-16T09:50:00Z", "generator": { "date": "2026-02-16T09:50:00Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1763648873", "initial_release_date": "2025-11-20T14:28:40Z", "revision_history": [ { "date": "2025-11-20T14:28:40Z", "number": "1", "summary": "Initial version" }, { "date": "2026-02-16T09:50:00Z", "number": "2", "summary": "Update document" } ], "status": "final", "version": "2" }, "title": "runc: Fix of 6 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64", "product": { "name": "runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64", "product_id": "runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/runc@1.2.8-1.el9_1.tuxcare.els1?arch=x86_64&epoch=4" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64" }, "product_reference": "runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-52565", "cwe": { "id": "CWE-61", "name": "UNIX Symbolic Link (Symlink) Following" }, "notes": [ { "category": "description", "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-52565" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4", "url": "https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398", "url": "https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e", "url": "https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d", "url": "https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a", "url": "https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64", "url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8", "url": "https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480", "url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r", "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r" } ], "release_date": "2025-11-06T20:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-11-20T14:27:55.508563Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1763648873", "product_ids": [ "AlmaLinux-9.2:runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1763648873" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-31133", "cwe": { "id": "CWE-61", "name": "UNIX Symbolic Link (Symlink) Following" }, "notes": [ { "category": "description", "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-31133" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/1a30a8f3d921acbbb6a4bb7e99da2c05f8d48522", "url": "https://github.com/opencontainers/runc/commit/1a30a8f3d921acbbb6a4bb7e99da2c05f8d48522" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/5d7b2424072449872d1cd0c937f2ca25f418eb66", "url": "https://github.com/opencontainers/runc/commit/5d7b2424072449872d1cd0c937f2ca25f418eb66" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f", "url": "https://github.com/opencontainers/runc/commit/8476df83b534a2522b878c0507b3491def48db9f" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64", "url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2", "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2" } ], "release_date": "2025-11-06T19:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-11-20T14:27:55.508563Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1763648873", "product_ids": [ "AlmaLinux-9.2:runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1763648873" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-52881", "cwe": { "id": "CWE-61", "name": "UNIX Symbolic Link (Symlink) Following" }, "notes": [ { "category": "description", "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-52881" }, { "category": "external", "summary": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322", "url": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322" }, { "category": "external", "summary": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3", "url": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md", "url": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557", "url": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d", "url": "https://github.com/opencontainers/runc/commit/435cc81be6b79cdec73b4002c0dae549b2f6ae6d" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58", "url": "https://github.com/opencontainers/runc/commit/44a0fcf685db051c80b8c269812bb177f5802c58" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6", "url": "https://github.com/opencontainers/runc/commit/4b37cd93f86e72feac866442988b549b5b7bf3e6" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f", "url": "https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544", "url": "https://github.com/opencontainers/runc/commit/77889b56db939c323d29d1130f28f9aea2edb544" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db", "url": "https://github.com/opencontainers/runc/commit/77d217c7c3775d8ca5af89e477e81568ef4572db" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28", "url": "https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2", "url": "https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165", "url": "https://github.com/opencontainers/runc/commit/d61fd29d854b416feaaf128bf650325cd2182165" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64", "url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1", "url": "https://github.com/opencontainers/runc/commit/ed6b1693b8b3ae7eb0250a7e76fc888cdacf98c1" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51", "url": "https://github.com/opencontainers/runc/commit/ff6fe1324663538167eca8b3d3eec61e1bd4fa51" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480", "url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2", "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm", "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r", "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r" } ], "release_date": "2025-11-06T21:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-11-20T14:27:55.508563Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1763648873", "product_ids": [ "AlmaLinux-9.2:runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1763648873" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2024-21626", "cwe": { "id": "CWE-403", "name": "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')" }, "notes": [ { "category": "description", "text": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem (\"attack 2\"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run (\"attack 1\"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes (\"attack 3a\" and \"attack 3b\"). runc 1.1.12 includes patches for this issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-21626" }, { "category": "external", "summary": "http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html", "url": "http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2024/02/01/1", "url": "http://www.openwall.com/lists/oss-security/2024/02/01/1" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2024/02/02/3", "url": "http://www.openwall.com/lists/oss-security/2024/02/02/3" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf", "url": "https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/releases/tag/v1.1.12", "url": "https://github.com/opencontainers/runc/releases/tag/v1.1.12" }, { "category": "external", "summary": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv", "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html", "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/" }, { "category": "external", "summary": "https://www.vicarius.io/vsociety/posts/leaky-vessels-part-1-cve-2024-21626", "url": "https://www.vicarius.io/vsociety/posts/leaky-vessels-part-1-cve-2024-21626" } ], "release_date": "2024-01-31T22:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-11-20T14:27:55.508563Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1763648873", "product_ids": [ "AlmaLinux-9.2:runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1763648873" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:runc-4:1.2.8-1.el9_1.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }