Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
AnalysisAI
Container privilege escalation in Red Hat Multicluster Engine for Kubernetes allows authenticated local attackers to escalate from non-root container execution to full root privileges by exploiting group-writable permissions on the /etc/passwd file created during container image build time, enabling arbitrary UID assignment including UID 0.
Technical ContextAI
The vulnerability stems from improper file permission configuration (CWE-276: Incorrect Default Permissions) applied to the /etc/passwd file during container image construction. The /etc/passwd file is created with group-writable permissions, allowing any user in the root group to modify user account entries. Within a container context, attackers with local command execution capabilities can leverage group membership to append new user entries with arbitrary UIDs. By specifying UID 0 during passwd file modification, an attacker can create a new user account with root-level privileges, effectively achieving privilege escalation from a constrained container execution context to full root access. This affects Red Hat Multicluster Engine for Kubernetes container images across multiple versions, as indicated by the wildcard version CPE entries provided.
RemediationAI
Apply the vendor-released security patch from Red Hat for Multicluster Engine for Kubernetes, available through the Red Hat security advisory portal at https://access.redhat.com/security/cve/CVE-2025-57851. The fix addresses improper file permissions by ensuring /etc/passwd is created with correct restrictive permissions during image build time, preventing non-root users and group members from modifying user account entries. Immediate patching is recommended for production environments, particularly those running multi-tenant or untrusted workload scenarios. Organizations should verify the exact patched version number from the Red Hat advisory and update container images accordingly. Container runtime security policies should also be reviewed to limit the execution privileges of container processes where feasible.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209300