High severityOSV Advisory· Published Apr 24, 2019· Updated Aug 5, 2024

CVE-2017-18367

Description

libseccomp-golang <=0.9.0 incorrectly ORs multiple syscall arguments in BPF, allowing bypass of seccomp restrictions by providing a single matching argument.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

libseccomp-golang <=0.9.0 incorrectly ORs multiple syscall arguments in BPF, allowing bypass of seccomp restrictions by providing a single matching argument.

Vulnerability

In libseccomp-golang versions 0.9.0 and earlier, the generated Berkeley Packet Filter (BPF) code incorrectly combines multiple syscall argument conditions using OR logic instead of AND logic [1][2][4]. This means that for a seccomp filter that specifies multiple arguments must match, the filter allows the syscall if any one of the specified arguments matches, rather than requiring all of them to match [1][4].

Exploitation

An attacker who can execute code within a process that uses a restrictive seccomp filter with multiple argument rules can bypass intended restrictions by providing a single matching argument for one condition [4]. No special authentication or network position is required; the attacker only needs to trigger the relevant syscall with crafted arguments [4].

Impact

Successful exploitation allows the attacker to perform syscalls that should have been denied by the seccomp filter, potentially leading to privilege escalation or sandbox escape [1][3]. The vulnerability is rated as moderate severity (CVSS base score 6.2) [3].

Mitigation

The issue is fixed in libseccomp-golang commit 06e7a29f36a34b8cf419aeb87b979ee508e58f9e [2]. Red Hat OpenShift Container Platform 4.1 addressed this in RHSA-2019:4087 [3]. Users should update to the patched version of libseccomp-golang or apply the vendor fix [2][3].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/seccomp/libseccomp-golangGo	< 0.9.1	0.9.1

Affected products

Seccomp/Libseccomp GolangOSV
Range: v0.9.0
ghsa-coords
pkg:golang/github.com/seccomp/libseccomp-golang
Range: < 0.9.1

Patches

06e7a29f36a3

golang: Resolve bug with handling of multiple argument rules

https://github.com/seccomp/libseccomp-golangMatthew HeonApr 19, 2017via ghsa

commit

1 file changed · +37 −27

seccomp_internal.go+37 −27 modified

@@ -120,23 +120,27 @@ unsigned int get_micro_version()
 
 typedef struct scmp_arg_cmp* scmp_cast_t;
 
-// Wrapper to create an scmp_arg_cmp struct
-void*
-make_struct_arg_cmp(
-                    unsigned int arg,
-                    int compare,
-                    uint64_t a,
-                    uint64_t b
-                   )
+void* make_arg_cmp_array(unsigned int length)
 {
-	struct scmp_arg_cmp *s = malloc(sizeof(struct scmp_arg_cmp));
+        return calloc(length, sizeof(struct scmp_arg_cmp));
+}
 
-	s->arg = arg;
-	s->op = compare;
-	s->datum_a = a;
-	s->datum_b = b;
+// Wrapper to add an scmp_arg_cmp struct to an existing arg_cmp array
+void add_struct_arg_cmp(
+                        struct scmp_arg_cmp* arr,
+                        unsigned int pos,
+                        unsigned int arg,
+                        int compare,
+                        uint64_t a,
+                        uint64_t b
+                       )
+{
+        arr[pos].arg = arg;
+        arr[pos].op = compare;
+        arr[pos].datum_a = a;
+        arr[pos].datum_b = b;
 
-	return s;
+        return;
 }
 */
 import "C"
@@ -239,12 +243,9 @@ func (f *ScmpFilter) setFilterAttr(attr scmpFilterAttr, value C.uint32_t) error
 // DOES NOT LOCK OR CHECK VALIDITY
 // Assumes caller has already done this
 // Wrapper for seccomp_rule_add_... functions
-func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact bool, cond C.scmp_cast_t) error {
-	var length C.uint
-	if cond != nil {
-		length = 1
-	} else {
-		length = 0
+func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact bool, length C.uint, cond C.scmp_cast_t) error {
+	if length != 0 && cond == nil {
+		return fmt.Errorf("null conditions list, but length is nonzero")
 	}
 
 	var retCode C.int
@@ -258,6 +259,8 @@ func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact b
 		return fmt.Errorf("unrecognized syscall")
 	} else if syscall.Errno(-1*retCode) == syscall.EPERM {
 		return fmt.Errorf("requested action matches default action of filter")
+	} else if syscall.Errno(-1*retCode) == syscall.EINVAL {
+		return fmt.Errorf("two checks on same syscall argument")
 	} else if retCode != 0 {
 		return syscall.Errno(-1 * retCode)
 	}
@@ -275,7 +278,7 @@ func (f *ScmpFilter) addRuleGeneric(call ScmpSyscall, action ScmpAction, exact b
 	}
 
 	if len(conds) == 0 {
-		if err := f.addRuleWrapper(call, action, exact, nil); err != nil {
+		if err := f.addRuleWrapper(call, action, exact, 0, nil); err != nil {
 			return err
 		}
 	} else {
@@ -287,13 +290,20 @@ func (f *ScmpFilter) addRuleGeneric(call ScmpSyscall, action ScmpAction, exact b
 			}
 		}
 
-		for _, cond := range conds {
-			cmpStruct := C.make_struct_arg_cmp(C.uint(cond.Argument), cond.Op.toNative(), C.uint64_t(cond.Operand1), C.uint64_t(cond.Operand2))
-			defer C.free(cmpStruct)
+		argsArr := C.make_arg_cmp_array(C.uint(len(conds)))
+		if argsArr == nil {
+			return fmt.Errorf("error allocating memory for conditions")
+		}
+		defer C.free(argsArr)
+
+		for i, cond := range conds {
+			C.add_struct_arg_cmp(C.scmp_cast_t(argsArr), C.uint(i),
+				C.uint(cond.Argument), cond.Op.toNative(),
+				C.uint64_t(cond.Operand1), C.uint64_t(cond.Operand2))
+		}
 
-			if err := f.addRuleWrapper(call, action, exact, C.scmp_cast_t(cmpStruct)); err != nil {
-				return err
-			}
+		if err := f.addRuleWrapper(call, action, exact, C.uint(len(conds)), C.scmp_cast_t(argsArr)); err != nil {
+			return err
 		}
 	}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2019:4087ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:4090ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-58v3-j75h-xr49ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-18367ghsaADVISORY
usn.ubuntu.com/4574-1/mitrevendor-advisoryx_refsource_UBUNTU
www.openwall.com/lists/oss-security/2019/04/25/6ghsamailing-listx_refsource_MLISTWEB
github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9eghsax_refsource_MISCWEB
github.com/seccomp/libseccomp-golang/issues/22ghsax_refsource_MISCWEB
lists.debian.org/debian-lts-announce/2020/08/msg00016.htmlghsamailing-listx_refsource_MLISTWEB
usn.ubuntu.com/4574-1ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000