Dockerfile: update runc binary to v1.3.6#52883

thaJeztah · 2026-06-15T17:36:30Z

This is the sixth patch release of the 1.3.z series of runc. Among some performance improvements and bugfixes, it includes a fix for a low-severity vulnerability (CVE-2026-41579) and users are encouraged to update. As it was a low-severity vulnerability and it was reported by multiple people, we decided to release it publicly with NO EMBARGO.

Security

This release includes a fix for the following low-severity security issue:

CVE-2026-41579 allowed a malicious image with a /dev symlink to have limited write access to the host filesystem in ways that our analysis indicates was too limited to be problematic in practice. This bug was very similar to those fixed in CVE-2025-31133, CVE-2025-52565, CVE-2025-31133 and was simply missed at the time when we hardened the rootfs preparation code. We have conducted a deeper audit and not found any other problematic cases.

Fixed

A regression in runc v1.3.0 which can result in a stuck runc exec or runc run when the container process runs for a short time.
Various integration test improvements.

Changed

When masking directories with maskPaths, runc will now re-use a single tmpfs instance (which is not writable) to reduce the number tmpfs superblocks that need to be reaped when containers die (in particular, Kubernetes applies masks to per-CPU sysfs directories which get expensive quickly).

full diff: opencontainers/runc@v1.3.5...v1.3.6

Summary

Release notes (optional)

Update runc (in static binaries) to [v1.3.6](https://github.com/opencontainers/runc/releases/tag/v1.3.6)

A picture of a cute animal (not mandatory but encouraged)

This is the sixth patch release of the 1.3.z series of runc. Among some performance improvements and bugfixes, it includes a fix for a low-severity vulnerability ([CVE-2026-41579]) and users are encouraged to update. As it was a low-severity vulnerability and it was reported by multiple people, we decided to release it publicly with NO EMBARGO. Security This release includes a fix for the following low-severity security issue: - CVE-2026-41579 allowed a malicious image with a /dev symlink to have limited write access to the host filesystem in ways that our analysis indicates was too limited to be problematic in practice. This bug was very similar to those fixed in CVE-2025-31133, CVE-2025-52565, CVE-2025-31133 and was simply missed at the time when we hardened the rootfs preparation code. We have conducted a deeper audit and not found any other problematic cases. Fixed - A regression in runc v1.3.0 which can result in a stuck runc exec or runc run when the container process runs for a short time. - Various integration test improvements. Changed - When masking directories with maskPaths, runc will now re-use a single tmpfs instance (which is not writable) to reduce the number tmpfs superblocks that need to be reaped when containers die (in particular, Kubernetes applies masks to per-CPU sysfs directories which get expensive quickly). [CVE-2026-41579]: GHSA-xjvp-4fhw-gc47 full diff: opencontainers/runc@v1.3.5...v1.3.6 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

thaJeztah added this to the 29.6.0 milestone Jun 15, 2026

thaJeztah added status/2-code-review impact/changelog area/testing area/packaging kind/bugfix PR's that fix bugs labels Jun 15, 2026

vvoland approved these changes Jun 16, 2026

View reviewed changes

thaJeztah merged commit 3c8382a into moby:master Jun 16, 2026
371 of 390 checks passed

thaJeztah deleted the bump_runc branch June 16, 2026 13:13

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dockerfile: update runc binary to v1.3.6#52883