Youki-Dev Youki vulnerabilities
5 known vulnerabilities affecting youki-dev/youki.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2025-62596HIGHCVSS 7.3fixed in 0.5.72025-11-06
CVE-2025-62596 [HIGH] CWE-61 CVE-2025-62596: Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling
Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path component-by-component, a shared-mount race can substitu
cvelistv5nvd
CVE-2025-62161HIGHCVSS 7.3fixed in 0.5.72025-11-06
CVE-2025-62161 [HIGH] CWE-61 CVE-2025-62161: Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of
Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container's /dev/null as a file mask. This issue is fixed in version 0.5.7.
cvelistv5nvd
CVE-2025-54867HIGHCVSS 7.0fixed in 0.5.52025-08-14
CVE-2025-54867 [HIGH] CWE-61 CVE-2025-54867: Youki is a container runtime written in Rust. Prior to version 0.5.5, if /proc and /sys in the rootf
Youki is a container runtime written in Rust. Prior to version 0.5.5, if /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem. This issue has been patched in version 0.5.5.
cvelistv5nvd
CVE-2025-27612MEDIUMCVSS 5.9fixed in 0.5.32025-03-21
CVE-2025-27612 [MEDIUM] CWE-276 Libcontainer is affected by capabilities elevation
Libcontainer is affected by capabilities elevation
libcontainer is a library for container control. Prior to libcontainer 0.5.3, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabiliti
cvelistv5
CVE-2022-29162HIGHCVSS 7.8fixed in 0.5.32022-05-17
CVE-2022-29162 [MEDIUM] CWE-276 CVE-2022-29162: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate t
nvd