rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
Description
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes /sys/fs/cgroup writable in following conditons: 1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared (e.g.., (docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and /sys is mounted with rbind, ro (e.g., runc spec --rootless; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/... on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add /sys/fs/cgroup to maskedPaths.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/opencontainers/runcGo | < 1.1.5 | 1.1.5 |
Affected products
68- osv-coords67 versionspkg:apk/chainguard/ctoppkg:apk/chainguard/podmanpkg:apk/chainguard/podman-docpkg:apk/chainguard/runcpkg:apk/chainguard/runc-docpkg:apk/wolfi/ctoppkg:apk/wolfi/podmanpkg:apk/wolfi/podman-docpkg:apk/wolfi/runcpkg:apk/wolfi/runc-docpkg:golang/github.com/opencontainers/runcpkg:rpm/almalinux/aardvark-dnspkg:rpm/almalinux/buildahpkg:rpm/almalinux/buildah-testspkg:rpm/almalinux/cockpit-podmanpkg:rpm/almalinux/conmonpkg:rpm/almalinux/containernetworking-pluginspkg:rpm/almalinux/containers-commonpkg:rpm/almalinux/container-selinuxpkg:rpm/almalinux/critpkg:rpm/almalinux/criupkg:rpm/almalinux/criu-develpkg:rpm/almalinux/criu-libspkg:rpm/almalinux/crunpkg:rpm/almalinux/fuse-overlayfspkg:rpm/almalinux/libslirppkg:rpm/almalinux/libslirp-develpkg:rpm/almalinux/netavarkpkg:rpm/almalinux/oci-seccomp-bpf-hookpkg:rpm/almalinux/podmanpkg:rpm/almalinux/podman-catatonitpkg:rpm/almalinux/podman-dockerpkg:rpm/almalinux/podman-gvproxypkg:rpm/almalinux/podman-pluginspkg:rpm/almalinux/podman-remotepkg:rpm/almalinux/podman-testspkg:rpm/almalinux/python3-criupkg:rpm/almalinux/python3-podmanpkg:rpm/almalinux/runcpkg:rpm/almalinux/skopeopkg:rpm/almalinux/skopeo-testspkg:rpm/almalinux/slirp4netnspkg:rpm/almalinux/toolboxpkg:rpm/almalinux/toolbox-testspkg:rpm/almalinux/udicapkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/runc&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/runc&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/runc&distro=openSUSE%20Tumbleweedpkg:rpm/suse/runc&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/runc&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3
< 0.7.7-r13+ 66 more
- (no CPE)range: < 0.7.7-r13
- (no CPE)range: < 5.2.2-r1
- (no CPE)range: < 5.2.2-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.7.7-r13
- (no CPE)range: < 5.2.2-r1
- (no CPE)range: < 5.2.2-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.1.5
- (no CPE)range: < 2:1.0.1-38.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 1:1.24.6-7.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 1:1.24.6-7.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 46-1.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 2:2.1.4-2.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 1:1.1.1-5.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 2:1-38.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 2:2.205.0-3.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 3.15-3.module_el8.6.0+3137+d33c3efb
- (no CPE)range: < 3.15-3.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 3.15-3.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 3.15-3.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 1.8.3-1.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 1.9-2.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 4.4.0-1.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 4.4.0-1.module_el8.6.0+3137+d33c3efb
- (no CPE)range: < 2:1.0.1-38.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 1.2.5-2.module_el8.8.0+3468+16b86c82
- (no CPE)range: < 2:4.0.2-24.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 2:4.0.2-24.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 2:4.0.2-24.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 2:4.0.2-24.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 2:4.0.2-24.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 2:4.0.2-24.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 2:4.0.2-24.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 3.15-3.module_el8.6.0+3137+d33c3efb
- (no CPE)range: < 4.0.0-2.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 4:1.1.9-1.el9
- (no CPE)range: < 2:1.6.2-8.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 2:1.6.2-8.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 1.1.8-3.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 0.0.99.4-5.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 0.0.99.4-5.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 0.2.6-4.module_el8.9.0+3627+db8ec155
- (no CPE)range: < 0.0.20250807T150727-1.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-1.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-16.29.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- (no CPE)range: < 1.1.5-150000.41.1
- opencontainers/runcv5Range: < 1.1.5
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-m8cg-xc2p-r3fcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-25809ghsaADVISORY
- github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17ghsax_refsource_MISCWEB
- github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.