CVE-2025-62596

CRITICAL10.0EPSS 0.06%

youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Published: 11/5/2025Modified: 11/15/2025
Also known as:GHSA-vf95-55w6-qmrf

Description

### Impact ### youki’s apparmor handling performs insufficiently strict write-target validation, which—combined with path substitution during pathname resolution—can allow writes to unintended procfs locations. **Weak write-target check** youki only verifies that the destination lies somewhere under procfs. As a result, a write intended for `/proc/self/attr/apparmor/exec` can succeed even if the path has been redirected to `/proc/sys/kernel/hostname`(which is also in procfs). **Path substitution** While resolving a path component-by-component, a shared-mount race can substitute intermediate components and redirect the final target. This is a different project, but the core logic is similar to the CVE in runc. Issues were identified in runc, and verification was also conducted in youki to confirm the problems. https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm ### Credits ### Thanks to Li Fubang (@lifubang from acmcoder.com, CIIC) and Tõnis Tiigi (@tonistiigi from Docker) for both independently discovering runc's original vulnerability, as well as Aleksa Sarai (@cyphar from SUSE) for the original research into this class of security issues and solutions.

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
osvCVSS 3.1CRITICAL10.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

References (8)