CVE-2016-3697
published 2016-06-01CVE-2016-3697: libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local…
PriorityP338high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.39%
30.7th percentile
libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | docker.io | < runc 0.1.0+dfsg-1 (bookworm) | runc 0.1.0+dfsg-1 (bookworm) |
| debian | runc | < runc 0.1.0+dfsg-1 (bookworm) | runc 0.1.0+dfsg-1 (bookworm) |
| docker | docker | <= 1.11.1 | — |
| github.com | opencontainers_runc | >= 0 < 0.1.0 | 0.1.0 |
| hyper | runv | — | — |
| linuxfoundation | runc | <= 0.0.9 | — |
| linuxfoundation | runc | >= 0 < 0.1.0+dfsg-1 | 0.1.0+dfsg-1 |
| linuxfoundation | runc | >= 0 < 0.1.0+dfsg-1 | 0.1.0+dfsg-1 |
| linuxfoundation | runc | >= 0 < 0.1.0+dfsg-1 | 0.1.0+dfsg-1 |
| linuxfoundation | runc | >= 0 < 0.1.0+dfsg-1 | 0.1.0+dfsg-1 |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_moby-buildx_0.4.1+azure-3_on_cbl_mariner_1.0 | — | — |
| opensuse | opensuse | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
osv7.8HIGH
vendor_debian7.8LOW
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
libcontainer/user/user.go in runC before 0.1.0 as used in Docker before 1.11.2 improperly treats a numeric UID as a potential username which allows local users to gain privileges via a numeric usernam
vendor_msrc·2016-06-14·CVSS 7.8
CVE-2016-3697 [HIGH] CWE-264 libcontainer/user/user.go in runC before 0.1.0 as used in Docker before 1.11.2 improperly treats a numeric UID as a potential username which allows local users to gain privileges via a numeric usernam
libcontainer/user/user.go in runC before 0.1.0 as used in Docker before 1.11.2 improperly treats a numeric UID as a potential username which allows local users to gain privileges via a numeric username in the password file in a container.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional prod
Red Hat
docker: privilege escalation via confusion of usernames and UIDs
vendor_redhat·2016-04-22·CVSS 7.8
CVE-2016-3697 [HIGH] docker: privilege escalation via confusion of usernames and UIDs
docker: privilege escalation via confusion of usernames and UIDs
libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.
It was found that Docker would launch containers under the specified UID instead of a username. An attacker able to launch a container could use this flaw to escalate their privileges to root within the launched container.
Package: Security (Red Hat OpenShift Enterprise 3) - Affected
Debian
CVE-2016-3697: docker.io - libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2,...
vendor_debian·2016·CVSS 7.8
CVE-2016-3697 [HIGH] CVE-2016-3697: docker.io - libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2,...
libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-xpc5-66vp-j2wh: util
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2018-9862 [HIGH] CWE-838 GHSA-xpc5-66vp-j2wh: util
util.c in runV 1.0.0 for Docker mishandles a numeric username, which allows attackers to obtain root access by leveraging the presence of an initial numeric value on an /etc/passwd line, and then issuing a "docker exec" command with that value in the -u argument, a similar issue to CVE-2016-3697.
OSV
Privilege Elevation in runc
osv·2021-12-20
CVE-2016-3697 [HIGH] Privilege Elevation in runc
Privilege Elevation in runc
libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.
GHSA
Privilege Elevation in runc
ghsa·2021-12-20
CVE-2016-3697 [HIGH] CWE-269 Privilege Elevation in runc
Privilege Elevation in runc
libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.
OSV
Privilege escalation in github.com/opencontainers/runc
osv·2021-04-14
CVE-2016-3697 Privilege escalation in github.com/opencontainers/runc
Privilege escalation in github.com/opencontainers/runc
GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.
OSV
CVE-2016-3697: libcontainer/user/user
osv·2016-06-01·CVSS 7.8
CVE-2016-3697 [HIGH] CVE-2016-3697: libcontainer/user/user
libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-3697 docker: privilege escalation via confusion of usernames and UIDs [fedora-all]
bugzilla·2016-04-22·CVSS 7.8
CVE-2016-3697 [HIGH] CVE-2016-3697 docker: privilege escalation via confusion of usernames and UIDs [fedora-all]
CVE-2016-3697 docker: privilege escalation via confusion of usernames and UIDs [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supporte
Bugzilla
CVE-2016-3697 docker: privilege escalation via confusion of usernames and UIDs
bugzilla·2016-04-22·CVSS 7.8
CVE-2016-3697 [HIGH] CVE-2016-3697 docker: privilege escalation via confusion of usernames and UIDs
CVE-2016-3697 docker: privilege escalation via confusion of usernames and UIDs
Container launch does not distinguish between numeric UIDs and string usernames. A malicious image can provide a username to UID mapping at a high privileged level. This means that innoculous looking launches such as:
docker -u 1000 ...
actually result in the image processes running as root.
This ambiguity also confuses OpenShift's UID-based controls.
Discussion:
Acknowledgments:
Name: Mrunal Patel (Red Hat)
---
Created docker tracking bugs for this issue:
Affects: fedora-all [bug 1329454]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extras
Via RHSA-2016:1034 https://rhn.redhat.com/errata/RHSA-2016-1034.html
---
This issue has been addressed in the follo
http://lists.opensuse.org/opensuse-updates/2016-05/msg00111.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1034.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2634.htmlhttps://github.com/docker/docker/issues/21436https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091https://github.com/opencontainers/runc/pull/708https://github.com/opencontainers/runc/releases/tag/v0.1.0https://security.gentoo.org/glsa/201612-28http://lists.opensuse.org/opensuse-updates/2016-05/msg00111.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1034.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2634.htmlhttps://github.com/docker/docker/issues/21436https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091https://github.com/opencontainers/runc/pull/708https://github.com/opencontainers/runc/releases/tag/v0.1.0https://security.gentoo.org/glsa/201612-28
2016-06-01
Published