CVE-2025-62596

Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path...

CVE-2025-62161

Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container's /dev/null as a file mask. This issue is fixed in version 0.5.7...

CVE-2025-62596

Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path...

CVE-2025-62161

Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container's /dev/null as a file mask. This issue is fixed in version 0.5.7...

youki 安全漏洞

youki is a youki open source implementation of the OCI runtime specification in Rust. A security vulnerability exists in youki version 0.5.6 and earlier, which stems from insufficient validation of the write target by the apparmor handler, which in combination with path substitution during pathna...

youki 安全漏洞

youki is a youki open source implementation of the OCI runtime specification in Rust. A security vulnerability exists in youki 0.5.6 and earlier versions, which stems from insufficient initial validation of source /dev/null and could lead to container escape...

CVE-2025-62596

Youki container runtime (Rust) versions ≤ 0.5.6 are affected by a vulnerability in apparmor write-target validation combined with path substitution during pathname resolution. A shared-mount race can substitute intermediate path components, allowing writes to unintended procfs locations and poten...

CVE-2025-62596 youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path...

CVE-2025-62596 youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path...

CVE-2025-62596 youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path...

EUVD-2025-37938

Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path...

CVE-2025-62161 youki container escape via "masked path" abuse due to mount race conditions

Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container's /dev/null as a file mask. This issue is fixed in version 0.5.7...

CVE-2025-62161

Summary: CVE-2025-62161 affects Youki container runtime prior to v0.5.7, where the initial validation of the host path /dev/null is insufficient when Youki bind-mounts the container’s /dev/null as a mask. This race/validation flaw can enable container escape under bind-mmount scenarios. Root caus...

CVE-2025-62161 youki container escape via "masked path" abuse due to mount race conditions

Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container's /dev/null as a file mask. This issue is fixed in version 0.5.7...

CVE-2025-62161 youki container escape via "masked path" abuse due to mount race conditions

Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container's /dev/null as a file mask. This issue is fixed in version 0.5.7...

EUVD-2025-37939

Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container's /dev/null as a file mask. This issue is fixed in version 0.5.7...

GHSA-VF95-55W6-QMRF youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Impact youki’s apparmor handling performs insufficiently strict write-target validation, which—combined with path substitution during pathname resolution—can allow writes to unintended procfs locations. Weak write-target check youki only verifies that the destination lies somewhere under procfs. ...

youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Impact youki’s apparmor handling performs insufficiently strict write-target validation, which—combined with path substitution during pathname resolution—can allow writes to unintended procfs locations. Weak write-target check youki only verifies that the destination lies somewhere under procfs. ...

GHSA-4G74-7CFF-XCV8 youki container escape via "masked path" abuse due to mount race conditions

Impact youki utilizes bind mounting the container's /dev/null as a file mask. When performing this operation, the initial validation of the source /dev/null was insufficient. Specifically, we initially failed to verify whether /dev/null was genuinely present. However, we did perform validation to...

youki container escape via "masked path" abuse due to mount race conditions

Impact youki utilizes bind mounting the container's /dev/null as a file mask. When performing this operation, the initial validation of the source /dev/null was insufficient. Specifically, we initially failed to verify whether /dev/null was genuinely present. However, we did perform validation to...