EUVD-2025-16945
GHSA-m65q-v92h-cm7q
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Description
A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list.
Analysis
Privilege escalation vulnerability in the Rust 'users' crate that incorrectly includes the root group in access control lists when a user or process has fewer than 1024 groups. An authenticated local attacker with low privileges can exploit this flaw to gain unauthorized access to resources restricted to the root group, achieving privilege escalation. The vulnerability requires local access and existing user privileges but has high impact on confidentiality and integrity.
Technical Context
The vulnerability exists in the Rust 'users' crate, a library used for Unix/Linux user and group enumeration. The flaw stems from CWE-266 (Incorrect Privilege Assignment), specifically in the group listing logic. The vulnerability manifests when the crate's functions enumerate user groups and encounter a boundary condition: systems using getgroups() or similar APIs may incorrectly process group membership when the actual group count is below 1024 groups. This causes erroneous inclusion of group ID 0 (root) in the returned group list, even when the user is not actually a member of that group. The underlying issue likely involves buffer allocation logic, group enumeration loop termination, or group ID filtering that fails to properly validate group membership before inclusion in the access list.
Affected Products
The vulnerability affects the Rust 'users' crate (specific affected versions not provided in submission data; typically denoted as CPE:2.3:a:users_project:users:*:*:*:*:*:rust:*:*). The 'users' crate is commonly used by Rust applications requiring Unix/Linux user/group enumeration. Any Rust binary or library dependency chain incorporating the affected 'users' crate version is in scope. Applications commonly affected include system utilities, container runtimes, security tools, and privilege management systems written in Rust. Without explicit version ranges in the provided data, assume all versions up to the first patched release are vulnerable.
Remediation
Remediation steps: (1) Identify all Rust projects and binaries with the 'users' crate as a dependency using 'cargo tree' or dependency auditing tools; (2) Update the 'users' crate to the patched version (release version number not provided in submission—consult the official Rust users crate repository on crates.io and GitHub for the fix); (3) Rebuild and redeploy affected Rust binaries; (4) For interim mitigation, restrict local user access on systems where feasible, implement AppArmor/SELinux policies to prevent unprivileged users from executing Rust binaries relying on users crate, or isolate service accounts to single-group membership; (5) Monitor audit logs (ausearch, journalctl) for unexpected privilege escalations or root group access by non-root users.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | needs-triage | - |
| oracular | ignored | end of life, was needs-triage |
| questing | DNE | - |
| plucky | ignored | end of life, was needs-triage |
Share
External POC / Exploit Code
Leaving vuln.today