Three serious vulnerabilities in runC, the container runtime used by Docker and Kubernetes, could allow attackers to escape container isolation and gain access to the host system. These vulnerabilities, identified as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, were reported by Aleksa Sarai, a SUSE engineer and Open Container Initiative board member. The flaws involve issues with how runC handles file mounts, specifically through symlink manipulations that could enable attackers to write to critical system files. CVE-2025-31133 allows an attacker to replace /dev/null with a symlink, leading to unauthorized write access within the container. CVE-2025-52565 involves redirecting /dev/console, potentially exposing writable access to important procfs entries. CVE-2025-52881 permits attackers to redirect writes to /proc, bypassing security protections and potentially affecting sensitive files like /proc/sysrq-trigger. The first and last vulnerabilities affect all versions of runC, while the second only impacts versions 1.0.0-rc3 and later. Fixes are available in runC versions 1.2.8, 1.3.3, and 1.4.0-rc.3. Researchers at Sysdig emphasize that exploiting these vulnerabilities requires the ability to start containers with custom mount configurations, achievable through malicious container images. Currently, there are no known active exploits in the wild. Sysdig advises monitoring for suspicious symlink activities as a detection method and suggests enabling user namespaces for containers to mitigate risks. Activating user namespaces can prevent unauthorized access to critical files due to Unix DAC permissions. Using rootless containers is also recommended to limit potential damage from these vulnerabilities.