VYPR
← All advisories
High severityNVD Advisory· Published Sep 19, 2022· Updated May 29, 2025

CVE-2022-2995

CVE-2022-2995

Description

In CRI-O, supplementary group IDs are not correctly propagated to the container process, which can bypass intended file permission restrictions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In CRI-O, supplementary group IDs are not correctly propagated to the container process, which can bypass intended file permission restrictions.

Root

Cause CVE-2022-2995 is a vulnerability in the CRI-O container engine where supplementary group IDs are not correctly applied to container processes. When a container configuration specifies a user with a primary group (RunAsGroup), CRI-O previously failed to include that group in the supplementary groups list of the spawned process. The fix shows that SetProcessGID was called without also calling AddProcessAdditionalGid for the container's group ID, meaning the group was set as the primary group but not listed among the supplementary groups that the kernel uses for file access checks [1][4].

Attack

Surface An attacker who gains code execution inside a container that relies on supplementary group permissions — such as negative group permissions (i.e., group::- entries in ls -l) — can exploit this omission to access files that should have been restricted. The attack requires direct access to the container and the ability to run arbitrary binaries. The underlying issue stems from an omission in the OCI runtime specification, so all major container runtimes (runc, crun, Kata Containers) could be affected, but CRI-O's specific implementation was vulnerable to this particular missing group propagation [1].

Impact

If exploited, this flaw can lead to unauthorized reading or modification of sensitive data. Containers that use Access Control Lists (ACLs) or group-based file permissions to isolate workloads are at risk; an attacker could bypass those controls and access files belonging to other containers or the host that are accessible via the missing supplementary group. The vulnerability does not grant any privileges beyond what the container's user already has, but it negates the effect of intended group-based restrictions [1][3].

Mitigation

Red Hat and the CRI-O project have released a fix that ensures the container's primary group ID is also added to the supplementary groups list (see commit [4]). Users should update CRI-O to a patched version. As of publication, the vulnerability has a CVSS score of 6.3 (Medium). No workaround is documented beyond ensuring CRI-O is upgraded to a version containing the commit referenced in [4] [2][3].

References
  1. Vulnerability in Linux containers – investigation and mitigation
  2. GitHub - cri-o/cri-o: Open Container Initiative-based implementation of Kubernetes Container Runtime Interface
  3. NVD - CVE-2022-2995
  4. server: add container GID to additional groups · cri-o/cri-o@db3b399

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/cri-o/cri-oGo
< 1.25.01.25.0

Affected products

1

Patches

1
db3b399a8d7d

server: add container GID to additional groups

https://github.com/cri-o/cri-oPeter Hunt~Aug 22, 2022via ghsa
commit
2 files changed · +15 2
  • server/container_create.go+3 2 modified
    @@ -249,10 +249,11 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs
 	}
 
 	specgen.SetProcessUID(uid)
-	specgen.SetProcessGID(gid)
 	if sc.RunAsGroup != nil {
-		specgen.SetProcessGID(uint32(sc.RunAsGroup.Value))
+		gid = uint32(sc.RunAsGroup.Value)
 	}
+	specgen.SetProcessGID(gid)
+	specgen.AddProcessAdditionalGid(gid)
 
 	for _, group := range addGroups {
 		specgen.AddProcessAdditionalGid(group)
  • test/ctr.bats+12 0 modified
    @@ -885,6 +885,18 @@ function check_oci_annotation() {
 	crictl exec --sync "$ctr_id" grep "CapEff:\s0000000000000000" /proc/1/status
 }
 
+@test "ctr has gid in supplimental groups" {
+	start_crio
+
+	jq '	  .linux.security_context.run_as_user.value = 1000
+		|     .linux.security_context.run_as_group.value = 1000' \
+		"$TESTDATA"/container_redis.json > "$newconfig"
+
+	ctr_id=$(crictl run "$newconfig" "$TESTDATA"/sandbox_config.json)
+
+	crictl exec --sync "$ctr_id" grep Groups:.1000 /proc/1/status
+}
+
 @test "ctr with low memory configured should not be created" {
 	start_crio
 	pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.