CVE-2025-2713

CWE-266 CWE-269 — Improper Privilege Management5 documents5 sources

Severity

6.8MEDIUM

EPSS

0.0%

top 94.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Gvisor

Timeline

PublishedMar 28

Description

Google gVisor's runsc component exhibited a local privilege escalation vulnerability due to incorrect handling of file access permissions, which allowed unprivileged users to access restricted files. This occurred because the process initially ran with root-like permissions until the first fork.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Affected Packages2 packages

▶NVDgoogle/gvisor< 20240325.0

▶Debiangolang-gvisor-gvisor< 0.0~20240729.0-1+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-4fj4-9m67-3mj3: Google gVisor's runsc component exhibited a local privilege escalation vulnerability due to incorrect handling of file access permissions, which allow↗2025-03-28

▶

OSV

CVE-2025-2713: Google gVisor's runsc component exhibited a local privilege escalation vulnerability due to incorrect handling of file access permissions, which allow↗2025-03-28

▶

CVEList

Improper File Permission Handling in Google gVisor runsc↗2025-03-28

▶

📋Vendor Advisories

Debian

CVE-2025-2713: golang-gvisor-gvisor - Google gVisor's runsc component exhibited a local privilege escalation vulnerabi...↗2025

▶