Lucene search
K

EulerOS 2.0 SP12 : docker-runc (EulerOS-SA-2026-1087)

🗓️ 15 Jan 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

EulerOS 2.0 SP12 docker-runc bind-mount flaws allow host denial or container escape.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(284789);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/15");

  script_cve_id("CVE-2025-31133", "CVE-2025-52565");

  script_name(english:"EulerOS 2.0 SP12 : docker-runc (EulerOS-SA-2026-1087)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the docker-runc package installed, the EulerOS installation on the remote host is affected
by the following vulnerabilities :

    runc is a CLI tool for spawning and running containers according to the OCI specification. Versions
    1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient
    checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc
    into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker
    can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it
    attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to
    `/dev/console` as configured for all containers that allocate a console). This happens after
    `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with
    CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the
    attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively).
    This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.(CVE-2025-52565)

    runc is a CLI tool for spawning and running containers according to the OCI specification. In versions
    1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform
    sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a
    real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack:  an
    arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape,
    or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and
    1.4.0-rc.3.(CVE-2025-31133)

Tenable has extracted the preceding description block directly from the EulerOS docker-runc security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2026-1087
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?64374b32");
  script_set_attribute(attribute:"solution", value:
"Update the affected docker-runc packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-52565");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-31133");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:docker-runc");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12");

var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(12)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12");

if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

var flag = 0;

var pkgs = [
  "docker-runc-1.1.3-9.h32.eulerosv2r12"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"12", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "docker-runc");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Jan 2026 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.17.8
CVSS 48.4
EPSS0.0067
SSVC
2