Skip to content
Verified runc symlink deletion via malicious /dev symlink in container image
REPRO-2026-00206 Jul 2, 2026 .txt
Severity LOW
Confidence HIGH
Reproduced in 25m 21s
Tool calls 181
Spend $2.20
$ pruva-verify REPRO-2026-00206
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00206/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1 through 1.4.3, and 1.5.0-rc.1 through 1.5.0-rc.3, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join string which allow an image with /dev as a symlink to trick runc into deleting files called ptmx on the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This issue is not exploitable under Docker, but affects other Linux container tooling whose higher-level runtimes are built on runc. Fixed in versions 1.3.6, 1.4.3 and 1.5.0.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/ticket.md0.9 KB
bundle/ticket.json1.3 KB
bundle/repro/validation_verdict.json0.7 KB
bundle/repro/runtime_manifest.json0.6 KB
bundle/logs/build_repro-runc-vuln.log1.4 KB
bundle/logs/build_repro-runc-fixed.log1.4 KB
bundle/logs/repro_vuln.log1.0 KB
bundle/logs/repro_fixed.log0.6 KB
bundle/logs/vuln_variant/inner_scripts/relative_dev_symlink_vuln.sh1.8 KB
bundle/logs/vuln_variant/inner_scripts/relative_dev_symlink_fixed.sh1.8 KB
bundle/logs/vuln_variant/inner_scripts/pts_symlink_vuln.sh1.8 KB
bundle/logs/vuln_variant/inner_scripts/pts_symlink_fixed.sh1.8 KB
bundle/logs/vuln_variant/inner_scripts/create_start_entrypoint_vuln.sh1.8 KB
bundle/logs/vuln_variant/inner_scripts/create_start_entrypoint_fixed.sh1.8 KB
bundle/logs/vuln_variant/relative_dev_symlink_vuln.log1.2 KB
bundle/logs/vuln_variant/relative_dev_symlink_fixed.log0.8 KB
bundle/logs/vuln_variant/pts_symlink_vuln.log1.0 KB
bundle/logs/vuln_variant/pts_symlink_fixed.log1.0 KB
bundle/logs/vuln_variant/create_start_entrypoint_vuln.log1.2 KB
bundle/logs/vuln_variant/create_start_entrypoint_fixed.log0.8 KB
bundle/logs/vuln_variant/eval_relative_dev_symlink.txt0.0 KB
bundle/logs/vuln_variant/eval_pts_symlink.txt0.0 KB
bundle/logs/vuln_variant/eval_create_start_entrypoint.txt0.1 KB
bundle/logs/vuln_variant/vulnerable_version.txt0.4 KB
bundle/logs/vuln_variant/fixed_version.txt0.8 KB
bundle/vuln_variant/runtime_manifest.json0.8 KB
bundle/vuln_variant/patch_analysis.md9.4 KB
bundle/vuln_variant/source_identity.json0.9 KB
bundle/vuln_variant/variant_manifest.json3.0 KB
bundle/vuln_variant/validation_verdict.json1.0 KB
bundle/vuln_variant/root_cause_equivalence.json1.8 KB
bundle/repro/reproduction_steps.sh7.5 KB
bundle/repro/rca_report.md5.6 KB
bundle/vuln_variant/reproduction_steps.sh11.8 KB
bundle/vuln_variant/rca_report.md11.2 KB