CVE-2023-25809
published 2023-03-29CVE-2023-25809: runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes…
PriorityP429medium6.3CVSS 3.1
AVLACLPRLUINSCCLILAL
EPSS
0.33%
24.4th percentile
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | runc | < runc 1.1.5+ds1-1 (bookworm) | runc 1.1.5+ds1-1 (bookworm) |
| github.com | opencontainers_runc | >= 0 < 1.1.5 | 1.1.5 |
| linuxfoundation | runc | < 1.1.5 | 1.1.5 |
| linuxfoundation | runc | >= 0 < 1.0.0~rc93+ds1-5+deb11u4 | 1.0.0~rc93+ds1-5+deb11u4 |
| linuxfoundation | runc | >= 0 < 1.1.5+ds1-1 | 1.1.5+ds1-1 |
| linuxfoundation | runc | >= 0 < 1.1.5+ds1-1 | 1.1.5+ds1-1 |
| linuxfoundation | runc | >= 0 < 1.1.5+ds1-1 | 1.1.5+ds1-1 |
| linuxfoundation | runc | >= 0 < 1.1.4-0ubuntu1~18.04.2 | 1.1.4-0ubuntu1~18.04.2 |
| linuxfoundation | runc | >= 0 < 1.1.4-0ubuntu1~20.04.3 | 1.1.4-0ubuntu1~20.04.3 |
| linuxfoundation | runc | >= 0 < 1.1.4-0ubuntu1~22.04.3 | 1.1.4-0ubuntu1~22.04.3 |
| linuxfoundation | runc | >= 0 < 1.0.0~rc7+git20190403.029124da-0ubuntu1~16.04.4+esm4 | 1.0.0~rc7+git20190403.029124da-0ubuntu1~16.04.4+esm4 |
| msrc | cbl2_moby-runc_1.1.5-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_moby-runc_1.1.5+azure-1_on_cbl_mariner_1.0 | — | — |
| opencontainers | runc | < 1.1.5 | 1.1.5 |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
osv7.0HIGH
vendor_ubuntu7.0HIGH
vendor_msrc6.3MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
runC vulnerabilities
vendor_ubuntu·2023-05-23·CVSS 7.0
CVE-2022-29162 [HIGH] runC vulnerabilities
Title: runC vulnerabilities
Summary: Several security issues were fixed in runC.
USN-6088-1 fixed vulnerabilities in runC. This update provides
the corresponding updates for Ubuntu 16.04 LTS.
It was discovered that runC incorrectly performed access control when
mounting /proc to non-directories. An attacker could possibly use
this issue to escalate privileges.
(CVE-2019-19921)
Felix Wilhelm discovered that runC incorrecly handled netlink
messages. An attacker could possibly use
this issue to escalate privileges. (CVE-2021-43784)
Andrew G. Morgan discovered that runC incorrectly set
inherited process capabilities inside the container.
An attacker could possibly use this issue to
escalate privileges. (CVE-2022-29162)
Original advisory details:
It was discovered that runC incorrectly m
Ubuntu
runC vulnerabilities
vendor_ubuntu·2023-05-18·CVSS 5.0
CVE-2023-28642 [MEDIUM] runC vulnerabilities
Title: runC vulnerabilities
Summary: Several security issues were fixed in runC.
It was discovered that runC incorrectly made /sys/fs/cgroup
writable when in rootless mode. An attacker could possibly
use this issue to escalate privileges. (CVE-2023-25809)
It was discovered that runC incorrectly performed access control when
mounting /proc to non-directories. An attacker could possibly use
this issue to escalate privileges. (CVE-2023-27561)
It was discovered that runC incorrectly handled /proc and
/sys mounts inside a container. An attacker could possibly
use this issue to bypass AppArmor, and potentially SELinux.
(CVE-2023-28642)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
runc: Rootless runc makes `/sys/fs/cgroup` writable
vendor_redhat·2023-03-29·CVSS 5.0
CVE-2023-25809 [MEDIUM] CWE-276 runc: Rootless runc makes `/sys/fs/cgroup` writable
runc: Rootless runc makes `/sys/fs/cgroup` writable
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users
Microsoft
rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
vendor_msrc·2023-03-14·CVSS 6.3
CVE-2023-25809 [MEDIUM] CWE-281 rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Debian
CVE-2023-25809: runc - runc is a CLI tool for spawning and running containers according to the OCI spec...
vendor_debian·2023·CVSS 5.0
CVE-2023-25809 [MEDIUM] CVE-2023-25809: runc - runc is a CLI tool for spawning and running containers according to the OCI spec...
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable
OSV
Rootless: /sys/fs/cgroup is writable when cgroupns isn't unshared in github.com/opencontainers/runc
osv·2024-08-20
CVE-2023-25809 Rootless: /sys/fs/cgroup is writable when cgroupns isn't unshared in github.com/opencontainers/runc
Rootless: /sys/fs/cgroup is writable when cgroupns isn't unshared in github.com/opencontainers/runc
Rootless: /sys/fs/cgroup is writable when cgroupns isn't unshared in github.com/opencontainers/runc
OSV
runc vulnerabilities
osv·2023-05-23·CVSS 7.0
CVE-2019-19921 [HIGH] runc vulnerabilities
runc vulnerabilities
USN-6088-1 fixed vulnerabilities in runC. This update provides
the corresponding updates for Ubuntu 16.04 LTS.
It was discovered that runC incorrectly performed access control when
mounting /proc to non-directories. An attacker could possibly use
this issue to escalate privileges.
(CVE-2019-19921)
Felix Wilhelm discovered that runC incorrecly handled netlink
messages. An attacker could possibly use
this issue to escalate privileges. (CVE-2021-43784)
Andrew G. Morgan discovered that runC incorrectly set
inherited process capabilities inside the container.
An attacker could possibly use this issue to
escalate privileges. (CVE-2022-29162)
Original advisory details:
It was discovered that runC incorrectly made /sys/fs/cgroup
writable when in rootless mode. An attacke
OSV
runc vulnerabilities
osv·2023-05-18·CVSS 6.3
CVE-2023-25809 [MEDIUM] runc vulnerabilities
runc vulnerabilities
It was discovered that runC incorrectly made /sys/fs/cgroup
writable when in rootless mode. An attacker could possibly
use this issue to escalate privileges. (CVE-2023-25809)
It was discovered that runC incorrectly performed access control when
mounting /proc to non-directories. An attacker could possibly use
this issue to escalate privileges. (CVE-2023-27561)
It was discovered that runC incorrectly handled /proc and
/sys mounts inside a container. An attacker could possibly
use this issue to bypass AppArmor, and potentially SELinux.
(CVE-2023-28642)
GHSA
rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
ghsa·2023-03-30
CVE-2023-25809 [LOW] CWE-281 rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
### Impact
It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons:
1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl)
2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare)
A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host .
Other users's cgroup hierarchies are not affected.
### Patches
v1.1.5 (planned)
### Workarounds
- Condition 1: Unshare the cgroup n
OSV
rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
osv·2023-03-30
CVE-2023-25809 [LOW] rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
### Impact
It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons:
1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl)
2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare)
A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host .
Other users's cgroup hierarchies are not affected.
### Patches
v1.1.5 (planned)
### Workarounds
- Condition 1: Unshare the cgroup n
OSV
CVE-2023-25809: runc is a CLI tool for spawning and running containers according to the OCI specification
osv·2023-03-29·CVSS 6.3
CVE-2023-25809 [MEDIUM] CVE-2023-25809: runc is a CLI tool for spawning and running containers according to the OCI specification
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fchttps://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
2023-03-29
Published