RunC vulnerabilities and the case for tailored runtime defense

When your container runtime is the target

RunC sits at the heart of nearly every container platform, from Docker and containerd to Kubernetes nodes. This week, researchers disclosed three vulnerabilities (CVE-2025-1821, CVE-2025-1822, CVE-2025-1823) that expose potential container escape and host file manipulation vectors through race conditions and improper handling of file descriptors.

For organizations relying on containers for production workloads, this represents one of the most fundamental forms of risk — a break in the runtime isolation itself.

Patching helps, but exposure remains

The good news is that fixes are available upstream, and updated versions of Docker and containerd have already begun rolling out. If you are managing your own Kubernetes Clusters, make sure to update runc to the patched version, runc v1.4.0-rc.3, or later.

For Managed services, contact your provider to ensure that they have patched the control plane nodes. And, you will also need to verify that the updates have been deployed to the Node OS of your worker nodes as well.

From detection to containment

Traditional detection tools can identify that something suspicious happened, perhaps an unexpected file modification or process spawn, but by the time the alert fires, the exploit has already succeeded. What’s needed is preventive confinement, ensuring that even if a runtime process is hijacked, its behavior remains locked to what’s expected.

That’s the philosophy behind Bifrost Security. By profiling each container’s legitimate behavior at runtime, Bifrost automatically generates AppArmor allow-lists that strictly define what that container can access and execute. If an attacker tries to exploit a bug like these RunC flaws to access the host filesystem or run an external binary, the kernel enforcement stops it cold.

Tailored security as the first line of defense

Generic hardening and broad system policies are no longer enough in an age of rapidly changing workloads and complex CI/CD pipelines. Tailored profiles,generated from the actual runtime behavior of each service, offer a scalable way to bring least privilege to the container layer without sacrificing velocity.

Even when vulnerabilities appear deep in foundational components like RunC, these behavior-based boundaries prevent lateral movement, privilege escalation, and persistence.

Final thoughts

Incidents like this underline why runtime security must evolve beyond scanning and patching cycles. By continuously learning and enforcing what “normal” looks like, organizations can stay resilient even when the next zero-day hits the core of the container stack.

👉 Learn more about how Bifrost profiles workloads and enforces runtime behavior: docs.bifrostsec.com | bifrostsec.com