runc: container escape with malicious config due to /dev/console mount and related races

A flaw was found in runc. CVE-2025-52565 is very similar in concept and application toCVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount to /dev/pts/$n, if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount...

runc: container escape via 'masked path' abuse due to mount race conditions

A flaw was found in runc. This flaw exploits an issue with how masked paths are implementedin runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instea...

Metasploit Wrap-Up 01/09/2026

RISC-V Payloads This week brings more RISC-V payloads from community member bcoles. One provides a new adapter which allows RISC-V payloads to be converted to commands and delivered as a Metasploit fetch-payload. The second is a classic bind shell, offering the user interactive connectivity to th...

CVE-2022-23236

E-Series SANtricity OS Controller Software versions 11.40 through 11.70.2 store the LDAP BIND password in plaintext within a file accessible only to privileged users...

CVE-2020-24264

Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container ...

CVE-1999-0010

Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages...

CVE-1999-0009

Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases...

CVE-1999-0184

When compiled with the -DALLOWUPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records...

CVE-1999-0849

Denial of service in BIND named via maxdname...

CVE-1999-0837

Denial of service in BIND by improperly closing TCP sessions via solinger...

CVE-1999-0011

Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer...

CVE-1999-0833

Buffer overflow in BIND 8.2 via NXT records...

CVE-1999-0851

Denial of service in BIND named via naptr...

CVE-1999-0024

DNS cache poisoning via BIND, by predictable query IDs...

CVE-1999-0835

Denial of service in BIND named via malformed SIG records...

CVE-1999-0385

The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-000429)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000429 advisory. A vulnerability was found in Linux Kernel where refcount leak in llcpsockbind causing use-after-free which might lead to privilege escalations. Tenable has extracted...

bind security update

32:9.11.4-26.0.5.P2.16 - Resolve CVE-2025-40778 Orabug: 38699863 32:9.11.4-26.0.3.P2.16 - Resolve CVE-2024-11187 Orabug: 37616907 32:9.11.4-26.0.1.P2.16 - Resolve CVE-2024-1975 - Resolve CVE-2024-1737 - Add ability to change runtime limits for max types and records per name 32:9.11.4-26.P2.16 -...

Linux Command Shell, Bind TCP Inline

Listen for a connection and spawn a command shell Module Options msf use payload/linux/riscv32le/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options ...show and set options... msf payloadshellbindtcp run This modu...

Linux Command Shell, Bind TCP Inline

Listen for a connection and spawn a command shell Module Options msf use payload/linux/riscv64le/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options ...show and set options... msf payloadshellbindtcp run This modu...