CVE-2026-41579
LowCVSS 3.3Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
In runc prior to versions 1.3.6, 1.4.3, and 1.5.0, setupPtmx and setupDevSymlinks use filepath.Join with os.Remove and os.Symlink, allowing an image with /dev as a symlink to delete the ptmx file on the host or create symlinks in an arbitrary host directory. This is not exploitable under Docker, but other container tooling built on runc remains exposed.
Risk Assessment
The organization may lose control over host filesystem integrity if using non-Docker container tooling based on runc, as a malicious image can delete the ptmx file or create symlinks in any host directory.
Recommendation
Update runc to version 1.3.6, 1.4.3, or 1.5.0. If using non-Docker container tooling, verify compatibility with the patched runc version.
Original NVD description (English source)
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join string which allow an image with /dev as a symlink to trick runc into deleting files called ptmx on the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This issue is not exploitable under Docker, because Docker creates a top-level read-only layer that masks any malicious /dev symlink present in the container image — unlike some other Linux container tooling, whose higher-level runtimes built on runc remain exposed to exploitation via a malicious image. This issue has been fixed in versions 1.3.6, 1.4.3 and 1.5.0.

