VYPR
← All advisories
Moderate severityNVD Advisory· Published May 17, 2022· Updated Apr 23, 2025

Incorrect Default Permissions in runc

CVE-2022-29162

Description

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where runc exec --cap created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes runc exec --cap behavior such that the additional capabilities granted to the process being executed (as specified via --cap arguments) do not include inheritable capabilities. In addition, runc spec is changed to not set any inheritable capabilities in the created example OCI spec (config.json) file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

runc exec --cap in versions prior to 1.1.2 set non-empty inheritable capabilities, allowing programs with inheritable file capabilities to escalate privileges via execve.

Vulnerability

A bug was found in runc prior to version 1.1.2 where runc exec --cap created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment [1][3][4]. This allowed programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2) [1][4]. The issue also affected the default OCI spec generated by runc spec, which included inheritable capabilities in the config.json file [2][3][4].

Exploitation

An attacker would need the ability to execute runc exec --cap within a container and to have a program with inheritable file capabilities present [1][4]. The attack does not require special network position beyond console access to the container; it also relies on the container's environment having inherited capabilities set by the flawed runc exec --cap behavior [1][4].

Impact

A successful exploit could allow a process with inheritable file capabilities to elevate those capabilities to the permitted set, potentially exceeding the intended capabilities of the container [1][4]. However, the bug did not affect the container security sandbox because the inheritable set never contained more capabilities than the container's bounding set [1][4].

Mitigation

This bug has been fixed in runc 1.1.2, released on 2022-05-17 [1][3][4]. Users should update to this version or later. The fix changes runc exec --cap behavior so that additional capabilities granted via --cap arguments no longer include inheritable capabilities [1][2][4]. Additionally, runc spec no longer sets any inheritable capabilities in the created example OCI spec (config.json) file [2][3][4].

References
  1. NVD - CVE-2022-29162
  2. Merge pull request from GHSA-f3fp-gc8g-vw66 · opencontainers/runc@d04de3a
  3. Release runc 1.1.2 -- "I should think I’m going to be a perpetual student." · opencontainers/runc
  4. Default inheritable capabilities for linux container should be empty

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/opencontainers/runcGo
< 1.1.21.1.2

Affected products

134

Patches

1
d04de3a9b72d

Merge pull request from GHSA-f3fp-gc8g-vw66

https://github.com/opencontainers/runcAleksa SaraiMay 11, 2022via ghsa
commit
5 files changed · +0 40
  • exec.go+0 1 modified
    @@ -227,7 +227,6 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
 	if caps := context.StringSlice("cap"); len(caps) > 0 {
 		for _, c := range caps {
 			p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
-			p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
 			p.Capabilities.Effective = append(p.Capabilities.Effective, c)
 			p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
 			p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
  • libcontainer/integration/exec_test.go+0 2 modified
    @@ -364,7 +364,6 @@ func TestProcessCaps(t *testing.T) {
 	pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN")
 	pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN")
 	pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN")
-	pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN")
 	err = container.Run(&pconfig)
 	ok(t, err)
 
@@ -1360,7 +1359,6 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
 	pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN")
 	pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN")
 	pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN")
-	pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN")
 
 	err = container.Run(pconfig2)
 	_ = stdinR2.Close()
  • libcontainer/integration/template_test.go+0 16 modified
    @@ -75,22 +75,6 @@ func newTemplateConfig(t *testing.T, p *tParam) *configs.Config {
 				"CAP_KILL",
 				"CAP_AUDIT_WRITE",
 			},
-			Inheritable: []string{
-				"CAP_CHOWN",
-				"CAP_DAC_OVERRIDE",
-				"CAP_FSETID",
-				"CAP_FOWNER",
-				"CAP_MKNOD",
-				"CAP_NET_RAW",
-				"CAP_SETGID",
-				"CAP_SETUID",
-				"CAP_SETFCAP",
-				"CAP_SETPCAP",
-				"CAP_NET_BIND_SERVICE",
-				"CAP_SYS_CHROOT",
-				"CAP_KILL",
-				"CAP_AUDIT_WRITE",
-			},
 			Ambient: []string{
 				"CAP_CHOWN",
 				"CAP_DAC_OVERRIDE",
  • libcontainer/README.md+0 16 modified
    @@ -84,22 +84,6 @@ config := &configs.Config{
 			"CAP_KILL",
 			"CAP_AUDIT_WRITE",
 		},
-		Inheritable: []string{
-			"CAP_CHOWN",
-			"CAP_DAC_OVERRIDE",
-			"CAP_FSETID",
-			"CAP_FOWNER",
-			"CAP_MKNOD",
-			"CAP_NET_RAW",
-			"CAP_SETGID",
-			"CAP_SETUID",
-			"CAP_SETFCAP",
-			"CAP_SETPCAP",
-			"CAP_NET_BIND_SERVICE",
-			"CAP_SYS_CHROOT",
-			"CAP_KILL",
-			"CAP_AUDIT_WRITE",
-		},
 		Permitted: []string{
 			"CAP_CHOWN",
 			"CAP_DAC_OVERRIDE",
  • libcontainer/specconv/example.go+0 5 modified
    @@ -41,11 +41,6 @@ func Example() *specs.Spec {
 					"CAP_KILL",
 					"CAP_NET_BIND_SERVICE",
 				},
-				Inheritable: []string{
-					"CAP_AUDIT_WRITE",
-					"CAP_KILL",
-					"CAP_NET_BIND_SERVICE",
-				},
 				Ambient: []string{
 					"CAP_AUDIT_WRITE",
 					"CAP_KILL",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.