VYPR
← All advisories
High severityNVD Advisory· Published Apr 4, 2022· Updated Aug 3, 2024

CVE-2022-27649

CVE-2022-27649

Description

A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Podman containers started with non-empty inheritable capabilities, allowing attackers with programs having inheritable file capabilities to elevate them to the permitted set via execve.

Vulnerability

A flaw in Podman (versions before 4.0.3) and also present in Moby (Docker Engine) causes containers to be started with non-empty inheritable Linux process capabilities. This occurs because the container runtime does not clear the inheritable capability set as expected. The condition is reachable by default when running any container, without requiring special configuration. Affected versions include Podman prior to 4.0.3 (fixed in that release) [1][3].

Exploitation

An attacker with access to programs that have inheritable file capabilities inside the container can trigger the flaw. The attacker must be able to execute such a program (using execve(2)), which will then elevate those inheritable capabilities to the permitted set. No additional authentication or network position is required beyond the ability to run the vulnerable binary within the container [2][4].

Impact

Successful exploitation allows an attacker to elevate the capabilities of a process from the inheritable set to the permitted set, potentially gaining privileges beyond those intended for the container. This can lead to information disclosure, modification of files, or other actions depending on the capabilities obtained. The compromise is within the container's security context, but may bypass intended restrictions [2][4].

Mitigation

Podman 4.0.3, released on April 1, 2022, fixes this issue by ensuring the inheritable capabilities set is empty for containers (as shown in commit aafa80918a245edcbdaceb1191d749570f1872d0). Users should update to Podman 4.0.3 or later. For Moby (Docker Engine), refer to the Moby project's advisories; no specific workaround is available in the provided references. This CVE is not listed on CISA's Known Exploited Vulnerabilities catalog [3][4].

References
  1. GitHub - containers/podman: Podman: A tool for managing OCI containers and pods.
  2. NVD - CVE-2022-27649
  3. Release v4.0.3 · containers/podman
  4. do not set the inheritable capabilities · containers/podman@aafa809

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/containers/podman/v4Go
< 4.0.34.0.3

Affected products

50

Patches

1
aafa80918a24

do not set the inheritable capabilities

https://github.com/containers/podmanGiuseppe ScrivanoFeb 28, 2022via ghsa
commit
3 files changed · +13 7
  • libpod/oci_conmon_exec_linux.go+5 2 modified
    @@ -758,11 +758,14 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
 	} else {
 		pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding
 	}
+
+	// Always unset the inheritable capabilities similarly to what the Linux kernel does
+	// They are used only when using capabilities with uid != 0.
+	pspec.Capabilities.Inheritable = []string{}
+
 	if execUser.Uid == 0 {
 		pspec.Capabilities.Effective = pspec.Capabilities.Bounding
-		pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
 		pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
-		pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
 	} else {
 		if user == c.config.User {
 			pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective
  • pkg/specgen/generate/security.go+5 2 modified
    @@ -146,14 +146,17 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 
 	configSpec := g.Config
 	configSpec.Process.Capabilities.Ambient = []string{}
+
+	// Always unset the inheritable capabilities similarly to what the Linux kernel does
+	// They are used only when using capabilities with uid != 0.
+	configSpec.Process.Capabilities.Inheritable = []string{}
 	configSpec.Process.Capabilities.Bounding = caplist
 
 	user := strings.Split(s.User, ":")[0]
 
 	if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" {
 		configSpec.Process.Capabilities.Effective = caplist
 		configSpec.Process.Capabilities.Permitted = caplist
-		configSpec.Process.Capabilities.Inheritable = caplist
 	} else {
 		mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
 		if err != nil {
@@ -175,12 +178,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 		}
 		configSpec.Process.Capabilities.Effective = userCaps
 		configSpec.Process.Capabilities.Permitted = userCaps
-		configSpec.Process.Capabilities.Inheritable = userCaps
 
 		// Ambient capabilities were added to Linux 4.3.  Set ambient
 		// capabilities only when the kernel supports them.
 		if supportAmbientCapabilities() {
 			configSpec.Process.Capabilities.Ambient = userCaps
+			configSpec.Process.Capabilities.Inheritable = userCaps
 		}
 	}
  • test/e2e/run_test.go+3 3 modified
    @@ -498,7 +498,7 @@ var _ = Describe("Podman run", func() {
 		session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+		Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
 
 		session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
@@ -533,7 +533,7 @@ var _ = Describe("Podman run", func() {
 		session = podmanTest.Podman([]string{"run", "--user=0:0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+		Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
 
 		if os.Geteuid() > 0 {
 			if os.Getenv("SKIP_USERNS") != "" {
@@ -550,7 +550,7 @@ var _ = Describe("Podman run", func() {
 			session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
 			session.WaitWithDefaultTimeout()
 			Expect(session).Should(Exit(0))
-			Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+			Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
 
 			session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
 			session.WaitWithDefaultTimeout()

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.