VYPR
← All advisories
High severityNVD Advisory· Published Mar 3, 2023· Updated Dec 16, 2025

CVE-2023-27561

CVE-2023-27561

Description

runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

runc 1.1.4 and earlier re-introduces a race condition in volume-mount handling, letting attackers bypass access controls and escape containers.

Vulnerability

Details

CVE-2023-27561 is an incorrect access control vulnerability in runc, the CLI tool for spawning OCI-compliant containers on Linux. The bug is located in libcontainer/rootfs_linux.go and is a regression of CVE-2019-19921 [1]. It affects runc from v1.0.0-rc95 up to v1.1.4 [4]. The flaw involves a race condition that can be triggered when two containers share a custom bind mount [1][3].

Exploitation

An attacker must be able to spawn two containers with custom volume-mount configurations and run custom images [1]. The proof-of-concept exploit uses a symlink placed in one container's rootfs pointing to a shared mount directory. A process running in the first container continuously swaps two directories under the shared mount using renameat2 with RENAME_EXCHANGE. When the second container starts, the race condition can cause runc to follow a symlink outside the intended mount namespace, effectively bypassing the container’s filesystem isolation [3].

Impact

A successful exploit allows an attacker to escape a container and gain elevated privileges on the host. Since the vulnerability re-introduces CVE-2019-19921, it enables the same type of container escape [1][4]. The attacker must already have the ability to run custom containers and configure volumes, which is typical in multi-tenant or CI/CD environments.

Mitigation

The vulnerability is fixed in runc v1.1.5, released on 2023-03-10 [4]. Users should upgrade to runc v1.1.5 or later. There is no workaround other than avoiding untrusted access to run container creation with custom mounts [1][4]. The fix also addresses a variant, CVE-2023-28642 [4].

References
  1. NVD - CVE-2023-27561
  2. runc_poc.md
  3. Release runc 1.1.5 -- "囚われた屈辱は 反撃の嚆矢だ" · opencontainers/runc

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/opencontainers/runcGo
>= 1.0.0-rc95, < 1.1.51.1.5

Affected products

69

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

24

News mentions

0

No linked articles in our index yet.