CVE-2025-5791Incorrect Privilege Assignment in Azl3 Kata-containers-cc 3.15.0.aks0-4 ON Azure Linux 3.0

CWE-266Incorrect Privilege Assignment7 documents5 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 91.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Msrc Azl3 Kata-containers-cc 3.15.0.aks0-4 ON Azure Linux 3.0Msrc Azl3 Kata-containers-cc 3.15.0.aks0-5 ON Azure Linux 3.0Msrc Azl3 Kata-containers-cc 3.15.0.aks0-6 ON Azure Linux 3.0+5 more
Timeline
PublishedJun 6
Latest updateJun 10

Description

A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2

Affected Packages8 packages

🔴Vulnerability Details

4
OSV
CVE-2025-5791: A flaw was found in the user's crate for Rust2025-06-06
GHSA
users may append `root` to group listings2025-06-05
OSV
users may append `root` to group listings2025-06-05
OSV
`root` appended to group listings2025-01-15

📋Vendor Advisories

2
Microsoft
Users: `root` appended to group listings2025-06-10
Red Hat
users: `root` appended to group listings2025-01-15