CVE-2026-41579
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-41579, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join string which allow an image with /dev as a symlink to trick runc into deleting files called ptmx on the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This issue is not exploitable under Docker, because Docker creates a top-level read-only layer that masks any malicious /devΒ symlink present in the container image β€” unlike some other Linux container tooling, whose higher-level runtimes built on runc remain exposed to exploitation via a malicious image. This issue has been fixed in versions 1.3.6, 1.4.3 and 1.5.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
opencontainers runc to 1.3.6 (exc)
opencontainers runc to 1.4.0-rc.1 (exc)
opencontainers runc to 1.4.0-rc.12 (exc)
opencontainers runc to 1.5.0-rc.1 (exc)
opencontainers runc to 1.5.0-rc.2 (exc)
opencontainers runc 1.3.5
opencontainers runc 1.4.2
opencontainers runc 1.5.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-41579 is a vulnerability in runc, a container runtime tool used to spawn and run containers according to the OCI specification. In certain vulnerable versions, when setting up the container root filesystem, runc's functions setupPtmx and setupDevSymlinks use path-based operations (os.Remove and os.Symlink with filepath.Join) that can be tricked by a malicious container image containing a /dev symlink.

This malicious /dev symlink can cause runc to delete files named ptmx on the host or create a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This happens because runc operates on host paths before pivot_root(2) is called, allowing path traversal attacks.

The issue is not exploitable under Docker due to Docker's top-level read-only layer masking any malicious /dev symlink, but other container runtimes built on runc, like Podman and containerd, remain exposed.

The vulnerability was fixed by changing the /dev initialization code to use file descriptor-based operations instead of path-based ones, ensuring operations occur within the correct root filesystem context and preventing path traversal attacks.

Impact Analysis

The impact of this vulnerability is limited but can lead to host filesystem integrity violations. Specifically, an attacker can cause runc to delete files named ptmx on the host or create a predefined set of symlinks pointing to /proc or /dev/pts in arbitrary host directories.

Since the only guaranteed deletable files are those named ptmx, which are uncommon user files, the risk of significant damage is low. The created symlinks are hardcoded and unlikely to cause serious exploits such as container breakouts.

Most daemons require specific file suffixes, so the chance of denial-of-service or other issues caused by these symlinks is reduced.

Mitigations include using user namespaces or Linux Security Modules (LSMs) like SELinux or AppArmor to restrict filesystem operation scopes.

Detection Guidance

This vulnerability involves malicious container images that include a /dev symlink designed to trick runc into deleting or creating files on the host filesystem. Detection involves inspecting container images and runtime behavior for suspicious /dev symlinks or unexpected filesystem modifications.

You can check the version of runc installed to determine if it is vulnerable. Versions prior to 1.3.6, 1.4.3, and 1.5.0-rc.3 are affected.

  • Check runc version: `runc --version`
  • Inspect container images for /dev symlinks: `docker image save <image> -o image.tar && tar -xf image.tar && find . -type l -name dev`
  • Monitor filesystem for unexpected deletions or symlink creations in host directories, especially files named 'ptmx' or symlinks pointing to /proc or /dev/pts.

Since the vulnerability requires local user interaction and specific container tooling (non-Docker), monitoring container runtime logs and filesystem changes during container startup can help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability, the primary step is to upgrade runc to a fixed version. The vulnerability is patched in versions 1.3.6, 1.4.3, and 1.5.0-rc.3.

  • Upgrade runc to version 1.3.6 or later, 1.4.3 or later, or 1.5.0-rc.3 or later.

Additional mitigations include using user namespaces or Linux Security Modules (LSMs) such as SELinux or AppArmor to restrict filesystem operations and reduce the impact of potential exploitation.

  • Enable and configure SELinux or AppArmor profiles to confine container runtimes.
  • Use user namespaces to isolate container processes and limit filesystem access.

Avoid using vulnerable container runtimes other than Docker, as Docker's top-level read-only layer masks this issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41579. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart