Arista: EOS: CVE-2025-52881: security-advisory-0135

Arista Networks is providing this security advisory regarding three high-severity vulnerabilities identified in runC, the lightweight, command-line tool for spawning and running containers. These vulnerabilities present a potential risk of allowing malicious actors to circumvent container isolation mechanisms. For EOS-based products, these issues are strictly isolated to the cEOS-lab platform and the optional, standalone Docker SWIX extension. The standard core EOS release images do not ship with this component and remain secure. CVE-2025-52881 uses a race condition with shared mounts to redirect runC writes to /proc files, bypassing Linux Security Module (LSM) labels. Attackers can trick runC into writing fake procfs files instead of security label files. This critically allows redirecting arbitrary sysctl writes to dangerous files like /proc/sysrq-trigger (to crash the system) or /proc/sys/kernel/core_pattern (to escape the container). The flaw affects all runC writes to /proc, including sysctls and security labels.