Homepage

Symlink Following The advisory has been revoked - it doesn't affect any version of package kubernetes-1.31  (opens in a new tab)

Threat Intelligence

EPSS
0.02% (5th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-KUBERNETES131-15998241
  • published12 Apr 2026
  • disclosed6 Nov 2025
Report a new vulnerability Found a mistake?

Introduced: 6 Nov 2025

CVE-2025-31133  (opens in a new tab)
CWE-61  (opens in a new tab)
CWE-363  (opens in a new tab)

Amendment

The Chainguard security team deemed this advisory irrelevant for Chainguard:latest.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kubernetes-1.31 package and not the kubernetes-1.31 package as distributed by Chainguard.

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.