Please update bundled runc to include fixes for CVE-2025-31133 / CVE-2025-52565 / CVE-2025-52881

[chiragjethva]

Hi team,

The current MicroK8s snap bundles an older runc (v1.3.0 as of MicroK8s 1.34/stable).
According to upstream and AWS advisories, the following vulnerabilities have been fixed in runc 1.2.8 / 1.3.3 / 1.4.0-rc.3 and later:

• CVE-2025-31133
• CVE-2025-52565
• CVE-2025-52881

References:

• https://nvd.nist.gov/vuln/detail/CVE-2025-31133
• https://ubuntu.com/security/notices/USN-7851-1
• https://github.com/opencontainers/runc/releases/tag/v1.3.3

Can you please confirm whether these fixes have been (or will be) back-ported to the MicroK8s snap?
If not yet, could we track a rebuild of the snap with runc ≥ 1.3.3?

Thanks for maintaining MicroK8s!

[sunnyfun888]

Same question.

This method may be temporarily used before the patch snap is released:

Use root user.

Upgrade microk8s to 1.34/stable.
eg.

snap refresh microk8s --channel=1.34/stable

Download runc v1.3.3, put it in the /root/snap/microk8s/ directory, rename to runc .

Run this shell scrpit:

chmod +x /root/snap/microk8s/runc

printf "
versions=\`df -h | grep /var/lib/snapd/snap/microk8s/ | awk -F'/' '{print \$NF}'\`

for version in \${versions[@]}; do
  runcFile=\"/var/lib/snapd/snap/microk8s/\${version}/bin/runc\"
  mount --bind /root/snap/microk8s/runc \${runcFile}
  echo \"Version of \${runcFile}:\"
  \${runcFile} -v
done
" > /root/snap/microk8s/switchRunc.sh


chmod +x /root/snap/microk8s/switchRunc.sh
/root/snap/microk8s/switchRunc.sh

Put /root/snap/microk8s/switchRunc.sh into the startup file (eg. /etc/rc.local) if you want it to take effect after reboot.