{
  "variant_id": "CVE-2026-41579-create-start-relative-dev",
  "created_at": "2026-07-02T17:39:53Z",
  "variant_summary": "CVE-2026-41579 can be triggered through runc create+runc start and through a relative /dev symlink in the container image, in addition to the originally reported runc run with an absolute /dev symlink. Both alternate paths reach the same pre-pivot path-based /dev setup sink and are blocked by the fd-based fix in runc 1.3.6.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "opencontainers/runc",
  "submitted_target": {
    "target_kind": "git_tag",
    "version": "v1.3.5",
    "commit_sha": "488fc13e1f2d3d73ec36d829fdf2c98e47dc5ae8",
    "ref": "refs/tags/v1.3.5",
    "display": "runc v1.3.5 official amd64 release binary"
  },
  "variant_target": {
    "target_kind": "git_tag",
    "version": "v1.3.6",
    "commit_sha": "491b69bab9fa206b984fb26ba07d3110d62e671f",
    "ref": "refs/tags/v1.3.6",
    "display": "runc v1.3.6 official amd64 release binary"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "cli_local",
  "validated_surface": "cli_local",
  "required_entrypoint_kind": "cli_command",
  "required_entrypoint_detail": "runc run, or runc create followed by runc start, with a malicious /dev symlink in the bundle rootfs",
  "attacker_controlled_input": "container image rootfs where /dev is a relative or absolute symlink to a directory outside the rootfs",
  "trigger_path": "CLI -> libcontainer.prepareRootfs -> doSetupDev -> setupPtmx / setupDevSymlinks",
  "observed_impact_class": "other",
  "exploitability_confidence": "medium",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "file_path": "libcontainer/rootfs_linux.go",
  "line_start": 893,
  "line_end": 1138,
  "secondary_anchors": [
    {
      "file_path": "internal/pathrs/root_pathrslite.go",
      "line_start": 70,
      "line_end": 110
    },
    {
      "file_path": "libcontainer/rootfs_linux.go",
      "line_start": 97,
      "line_end": 111
    }
  ],
  "review_scope_paths": [
    "libcontainer/rootfs_linux.go",
    "internal/pathrs/root_pathrslite.go",
    "internal/pathrs/mkdirall.go"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": "vuln_variant/runtime_manifest.json",
    "source_identity": "vuln_variant/source_identity.json",
    "repro_log": [
      "logs/vuln_variant/relative_dev_symlink_vuln.log",
      "logs/vuln_variant/relative_dev_symlink_fixed.log",
      "logs/vuln_variant/create_start_entrypoint_vuln.log",
      "logs/vuln_variant/create_start_entrypoint_fixed.log",
      "logs/vuln_variant/pts_symlink_vuln.log",
      "logs/vuln_variant/pts_symlink_fixed.log"
    ],
    "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json",
    "reproducer": ["vuln_variant/reproduction_steps.sh"]
  }
}
