Lucene search
K

EulerOS 2.0 SP10 : docker-runc (EulerOS-SA-2026-1306)

🗓️ 16 Mar 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 8 Views

EulerOS 2.0 SP10 docker-runc has bind-mount flaws risking host escape; fixes in 1.2.8, 1.3.3, 1.4.0-rc.3.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(302426);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/16");

  script_cve_id("CVE-2025-31133", "CVE-2025-52565", "CVE-2025-52881");

  script_name(english:"EulerOS 2.0 SP10 : docker-runc (EulerOS-SA-2026-1306)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the docker-runc package installed, the EulerOS installation on the remote host is affected
by the following vulnerabilities :

    runc is a CLI tool for spawning and running containers according to the OCI specification. In versions
    1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform
    sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a
    real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack:  an
    arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape,
    or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and
    1.4.0-rc.3.(CVE-2025-31133)

    runc is a CLI tool for spawning and running containers according to the OCI specification. Versions
    1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient
    checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc
    into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker
    can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it
    attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to
    `/dev/console` as configured for all containers that allocate a console). This happens after
    `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with
    CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the
    attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively).
    This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.(CVE-2025-52565)

    runc is a CLI tool for spawning and running containers according to the OCI specification. In versions
    1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs
    files through the use of a racing container with shared mounts (we have also verified this attack is
    possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering
    parallel execution of containers with custom shared mounts configured). This redirect could be through
    symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the
    mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused
    runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in
    versions 1.2.8, 1.3.3, and 1.4.0-rc.3.(CVE-2025-52881)

Tenable has extracted the preceding description block directly from the EulerOS docker-runc security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2026-1306
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d28d3041");
  script_set_attribute(attribute:"solution", value:
"Update the affected docker-runc packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-52881");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-31133");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2025-52565");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/03/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:docker-runc-1.0.0.rc3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP10");

var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(10)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP10");

if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP10", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "x86" >!< cpu) audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

var flag = 0;

var pkgs = [
  "docker-runc-1.0.0.rc3-200.h27.eulerosv2r10"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"10", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "docker-runc");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Mar 2026 00:00Current
7High risk
Vulners AI Score7
CVSS 3.17.8
CVSS 48.4
EPSS0.0067
SSVC
8