{
  "parent_issue": "CVE-2026-41579",
  "parent_root_cause": "Before pivot_root(2), runc's /dev setup code used path strings built with filepath.Join(config.Rootfs, \"/dev/...\") and then os.Remove / os.Symlink. A malicious /dev symlink in the image caused those operations to follow the symlink and affect the host filesystem.",
  "variant_root_cause": "The same pre-pivot path-based /dev setup code is reached when /dev is a relative symlink, or when the container is started via runc create followed by runc start instead of runc run. The same os.Remove / os.Symlink calls follow the same symlink and produce the same host-side impact.",
  "same_sink": true,
  "sink_functions": [
    "libcontainer.setupPtmx",
    "libcontainer.setupDevSymlinks"
  ],
  "same_trust_boundary": true,
  "trust_boundary_crossing": "attacker-controlled container image rootfs is processed by the runc runtime, which runs with privileges on the host",
  "variant_notes": [
    "relative_dev_symlink changes the data path (symlink target) but reaches the same setupPtmx/setupDevSymlinks sink.",
    "create_start_entrypoint changes the CLI entry point (runc create+runc start) but still executes prepareRootfs and doSetupDev in the container init, reaching the same sink.",
    "pts_symlink does not reach the same sink impact because the vulnerable code only operates on /dev/ptmx, not through /dev/pts."
  ],
  "fix_equivalence": "The upstream fix opens a single rootfs directory handle (rootFd) before pivot_root and rewrites all /dev setup to use fd-based pathrs helpers (UnlinkInRoot, SymlinkInRoot, MkdirAllParentInRoot). Because all three variant paths execute the same doSetupDev(rootFd) code, the same fd-based defense blocks all of them.",
  "fix_commits": [
    "a8e53f2c6d6d25cb3dd643cc514f118aab44b097",
    "864db8042dbb191028676f80addf8c35f348aee2"
  ]
}
