Runc/Docker CVE-2025-31333 and friends

letic · November 11, 2025, 3:20pm

Hello guys,

It’s been several times that I wanted to check security information for TrueNAS but cannot find any.

There are several very serious CVE for docker/runc that just got released:

But couldn’t find anything in the forums or in JIRA. Is there a public tracking of CVE/security issues in TrueNas somewhere ?

Thanks in advance

DjP-iX · November 11, 2025, 3:26pm

It also has information about reporting security issues on the landing page.

Edit: we do have a jira ticket for these CVEs already. Jira for reference, but the ticket is private currently

letic · November 11, 2025, 3:42pm

Neat ! Very cool. I didn’t know part of JIRA was private.

Maybe CVEs tickets should always be public or at least listed somewhere like on debian bugs so at least we know that it is on your radar ?

DjP-iX · November 11, 2025, 3:49pm

I believe there are some legitimate cases where a CVE fix ticket might be kept private to avoid exposing a potential vulnerability or fix before the patch is published, but that’s up to the devs. It should be published to the security advisories site soon though.

theryanburke · November 26, 2025, 5:38pm

Could TrueNAS please post an update on patching runc to mitigate these CVEs? I still don’t see them even mentioned on the security advisory website. (security dot truenas dot com for those wanting to follow along)

wmo · December 1, 2025, 7:42pm

Check the https://security.truenas.com for 25.10.0 now. Updates for CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 have been added.

theryanburke · December 1, 2025, 11:08pm

I get no search results for any of those 3 CVEs. I also don’t see anything newer than 2024 CVEs when browsing specific versions of SCALE.

dan · December 2, 2025, 12:31am

Really? On this page:

I get this:

theryanburke · December 2, 2025, 1:23am

Caching issue. I see it now after a hard page refresh. The XHR request to fetch SCALE.json was being loaded from cache in Firefox. Might want to append the timestamp to the request in the page javascript, i.e. from index.html

const url = ‘/advisories/SCALE.json’;

modify to

const url = `/advisories/SCALE.json?ts=${Date.now()}`;

Appending a changing value like the timestamp will prevent browsers from returning what it thinks is a static file from cache.