DEBIAN-CVE-2023-25809

Advisory lineage Upstream: 1 Downstream: 0
Upstream
CVE-2023-25809
Published: 29 Mar 2023, 19:15
Last modified:28 Apr 2026, 20:25

Vulnerability Summary

Overall Risk (default)
medium
25/100
CVSS Score
6.3 MEDIUM
3.1 (osv_debian)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

29 Mar 2023, 19:15
Published
Vulnerability first disclosed
28 Apr 2026, 20:25
Last Modified
Vulnerability information updated

Description

runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.

CVSS Metrics

  • v3.1MEDIUMScore: 6.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Affected Systems

  • debianrunc

    < 1.0.0~rc93+ds1-5+deb11u4 | < 1.1.5+ds1-1 | < 1.1.5+ds1-1 | < 1.1.5+ds1-1

References (1)