GHSA-xjvp-4fhw-gc47
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Malicious image delivered over network; no privileges required to craft it; operator must execute it (UI:R); crosses container-to-host boundary (S:C); limited integrity impact only, no confidentiality or availability impact described.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2Description PRE-NVD
AnalysisAI
Host filesystem integrity violations in runc are triggered when the container runtime processes a malicious OCI image where /dev is configured as a symbolic link rather than a directory. An attacker who can deliver such a crafted image - via a public registry, a supply-chain-compromised base image, or a shared CI/CD pipeline - can cause runc to follow the symlink during container device-node initialization, resulting in limited, unintended write operations on the host filesystem outside the container boundary. The vendor-credited reporter (Aleksa Sarai, a known runc maintainer) describes the impact as 'limited host filesystem integrity violations,' falling short of a full container escape. No public exploit has been identified at time of analysis.
Technical ContextAI
runc is the reference OCI container runtime underpinning Docker Engine, containerd, CRI-O, Podman, and Kubernetes container execution across virtually all major platforms. During container initialization, runc processes the image's root filesystem bundle, including population of the /dev subtree with device nodes and bind mounts. If the image presents /dev as a symbolic link rather than a real directory, runc's path-resolution logic may follow that symlink during /dev setup operations, causing filesystem writes to resolve against an attacker-controlled path on the host. This is a symlink-following / path traversal class of flaw - historically recurring in runc (cf. CVE-2019-5736, CVE-2021-30465) - most likely corresponding to CWE-61 (UNIX Symbolic Link Following) or CWE-22 (Improper Limitation of a Pathname). No CWE has been officially assigned as of the pre-NVD disclosure. CPE identifiers and exact affected version ranges are not yet published.
RemediationAI
No vendor-released patch version has been independently confirmed at time of analysis. Operators should monitor the oss-security thread (https://www.openwall.com/lists/oss-security/2026/06/13) and the runc GitHub releases page for a security release and apply it immediately upon availability. As a compensating control, enforcing container image provenance and integrity verification - such as sigstore/cosign signatures or Notary/TUF policies - prevents untrusted or tampered images from reaching runc, directly blocking the delivery vector; the trade-off is added pipeline complexity and key management overhead. Restricting which users, service accounts, and systems are permitted to pull and execute arbitrary images in multi-tenant environments limits the attacker's ability to introduce a malicious image. Applying seccomp profiles and AppArmor/SELinux policies that restrict unexpected host filesystem writes can reduce the impact of exploitation even if a malicious image is run; these policies may require tuning to avoid breaking legitimate container workloads. Read-only root filesystem enforcement (where operationally feasible) limits the runtime's ability to write outside expected paths.
Alpine Linux: runc fixed in 1.1.12-r0
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 8.4
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass beca
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linu
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated medium severity (CVSS 6
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. Rated medium severit
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. Rated high severity (CVSS 8.5), t
libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a po
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.8
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. Rated high severity
Same weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Information Disclosure
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 1.0.0~rc93+ds1-5+deb11u5 | - |
| bullseye (security) | vulnerable | 1.0.0~rc93+ds1-5+deb11u3 | - |
| bookworm, bookworm (security) | vulnerable | 1.1.5+ds1-1+deb12u1 | - |
| trixie | vulnerable | 1.1.15+ds1-2 | - |
| forky, sid | vulnerable | 1.3.5+ds1-1 | - |
| (unstable) | fixed | (unfixed) | - |
SUSE
Severity: Low| Product | Status |
|---|---|
| SLES15-SP5-CHOST-BYOS-SAP-CCloud | Affected |
| SLES15-SP6-CHOST-BYOS | Affected |
| SLES15-SP6-CHOST-BYOS-Aliyun | Affected |
| SLES15-SP6-CHOST-BYOS-Azure | Affected |
| SLES15-SP6-CHOST-BYOS-EC2 | Affected |
| SLES15-SP6-CHOST-BYOS-GCE | Affected |
| SLES15-SP6-CHOST-BYOS-GDC | Affected |
| SLES15-SP6-CHOST-BYOS-SAP-CCloud | Affected |
| SLES15-SP7-CHOST-BYOS-Aliyun | Affected |
| SLES15-SP7-CHOST-BYOS-Azure | Affected |
| SLES15-SP7-CHOST-BYOS-EC2 | Affected |
| SLES15-SP7-CHOST-BYOS-GCE | Affected |
| SLES15-SP7-CHOST-BYOS-GDC | Affected |
| SLES15-SP7-CHOST-BYOS-SAP-CCloud | Affected |
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 12 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Not-Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Not-Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| openSUSE Leap 16.0 | Affected |
| SLES15-SP3-CHOST-BYOS-Aliyun | Affected |
| SLES15-SP3-CHOST-BYOS-Azure | Affected |
| SLES15-SP3-CHOST-BYOS-EC2 | Affected |
| SLES15-SP3-CHOST-BYOS-GCE | Affected |
| SLES15-SP3-CHOST-BYOS-SAP-CCloud | Affected |
| SLES15-SP4-CHOST-BYOS | Affected |
| SLES15-SP4-CHOST-BYOS-Aliyun | Affected |
| SLES15-SP4-CHOST-BYOS-Azure | Affected |
| SLES15-SP4-CHOST-BYOS-EC2 | Affected |
| SLES15-SP4-CHOST-BYOS-GCE | Affected |
| SLES15-SP4-CHOST-BYOS-SAP-CCloud | Affected |
| SLES15-SP5-CHOST-BYOS-Aliyun | Affected |
| SLES15-SP5-CHOST-BYOS-Azure | Affected |
| SLES15-SP5-CHOST-BYOS-EC2 | Affected |
| SLES15-SP5-CHOST-BYOS-GCE | Affected |
| SLES15-SP5-CHOST-BYOS-GDC | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP6 | Affected |
| SUSE Linux Enterprise Server 12 SP5 | Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Affected |
| SUSE Linux Enterprise Server 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Manager Proxy 4.3 | Not-Affected |
| SUSE Manager Proxy 4.3 | Affected |
| SUSE Manager Retail Branch Server 4.3 | Not-Affected |
| SUSE Manager Retail Branch Server 4.3 | Affected |
| SUSE Manager Server 4.3 | Not-Affected |
| SUSE Manager Server 4.3 | Affected |
| SUSE CaaS Platform 4.0 | Not-Affected |
| SUSE CaaS Platform 4.0 | Affected |
| SUSE Enterprise Storage 6 | Not-Affected |
| SUSE Enterprise Storage 6 | Affected |
| SUSE Enterprise Storage 7 | Not-Affected |
| SUSE Enterprise Storage 7 | Affected |
| SUSE Enterprise Storage 7.1 | Not-Affected |
| SUSE Enterprise Storage 7.1 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15-LTSS | Affected |
| SUSE Linux Enterprise Micro 5.0 | Not-Affected |
| SUSE Linux Enterprise Micro 5.0 | Affected |
| SUSE Linux Enterprise Micro 5.1 | Not-Affected |
| SUSE Linux Enterprise Micro 5.1 | Affected |
| SUSE Linux Enterprise Micro 5.2 | Not-Affected |
| SUSE Linux Enterprise Micro 5.2 | Affected |
| SUSE Linux Enterprise Module for Containers 12 | Affected |
| SUSE Linux Enterprise Module for Containers 15 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 SP1 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 SP2 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Module for Containers 15 SP3 | Affected |
| SUSE Linux Enterprise Server 12 | Affected |
| SUSE Linux Enterprise Server 12 SP3 | Affected |
| SUSE Linux Enterprise Server 12 SP4 | Affected |
| SUSE Linux Enterprise Server 15 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1 | Affected |
| SUSE Linux Enterprise Server 15 SP1-BCL | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2 | Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3 | Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise Server 15-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Manager Proxy 4.0 | Not-Affected |
| SUSE Manager Proxy 4.0 | Affected |
| SUSE Manager Proxy 4.1 | Not-Affected |
| SUSE Manager Proxy 4.1 | Affected |
| SUSE Manager Proxy 4.2 | Not-Affected |
| SUSE Manager Proxy 4.2 | Affected |
| SUSE Manager Retail Branch Server 4.0 | Not-Affected |
| SUSE Manager Retail Branch Server 4.0 | Affected |
| SUSE Manager Retail Branch Server 4.1 | Not-Affected |
| SUSE Manager Retail Branch Server 4.1 | Affected |
| SUSE Manager Retail Branch Server 4.2 | Not-Affected |
| SUSE Manager Retail Branch Server 4.2 | Affected |
| SUSE Manager Server 4.0 | Not-Affected |
| SUSE Manager Server 4.0 | Affected |
| SUSE Manager Server 4.1 | Not-Affected |
| SUSE Manager Server 4.1 | Affected |
| SUSE Manager Server 4.2 | Not-Affected |
| SUSE Manager Server 4.2 | Affected |
| SUSE OpenStack Cloud 6 | Affected |
| SUSE OpenStack Cloud 6-LTSS | Affected |
| openSUSE Leap 15.3 | Not-Affected |
| openSUSE Leap 15.3 | Affected |
| openSUSE Leap 15.4 | Not-Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.5 | Not-Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
| openSUSE Leap Micro 5.2 | Not-Affected |
| openSUSE Leap Micro 5.2 | Affected |
| openSUSE Leap Micro 5.3 | Not-Affected |
| openSUSE Leap Micro 5.3 | Affected |
| openSUSE Leap Micro 5.4 | Not-Affected |
| openSUSE Leap Micro 5.4 | Affected |
| openSUSE Leap Micro 5.5 | Affected |
| SLES-CHOST-BYOS-Aliyun | Affected |
| SLES-CHOST-BYOS-Azure | Affected |
| SLES-CHOST-BYOS-EC2 | Affected |
| SLES-CHOST-BYOS-GCE | Affected |
| SLES-CHOST-BYOS-GDC | Affected |
| SLES-CHOST-BYOS-SAP-CCloud | Affected |
| rancher/elemental-teal-iso/5.4 rancher/elemental-teal-rt/5.4 rancher/elemental-teal/5.4 suse/sle-micro/5.5 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40859