CVE-2026-41579

NameCVE-2026-41579
Descriptionrunc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join string which allow an image with /dev as a symlink to trick runc into deleting files called ptmx on the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This issue is not exploitable under Docker, because Docker creates a top-level read-only layer that masks any malicious /dev symlink present in the container image — unlike some other Linux container tooling, whose higher-level runtimes built on runc remain exposed to exploitation via a malicious image. This issue has been fixed in versions 1.3.6, 1.4.3 and 1.5.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1140000

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
runc (PTS)bullseye1.0.0~rc93+ds1-5+deb11u5vulnerable
bullseye (security)1.0.0~rc93+ds1-5+deb11u3vulnerable
bookworm, bookworm (security)1.1.5+ds1-1+deb12u1vulnerable
trixie1.1.15+ds1-2vulnerable
forky, sid1.3.5+ds1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
runcsource(unstable)(unfixed)1140000

Notes

https://www.openwall.com/lists/oss-security/2026/06/13/2
https://github.com/opencontainers/runc/security/advisories/GHSA-xjvp-4fhw-gc47
Fixed by: https://github.com/opencontainers/runc/commit/864db8042dbb191028676f80addf8c35f348aee2

Search for package or bug name: Reporting problems