Skip to main content

Crun

3 CVEs product

Monthly

CVE-2026-30892 NONE Awaiting Data

crun versions 1.19 through 1.26 misparse the `-u` (--user) option during container execution, causing a numeric UID value of 1 to be incorrectly interpreted as UID 0 (root) instead, resulting in privilege escalation where containerized processes execute with root privileges instead of the intended unprivileged user. The vulnerability affects the containers/crun OCI runtime container (cpe:2.3:a:containers:crun:*:*:*:*:*:*:*:*) and has been patched in version 1.27. No public exploit code or active exploitation has been identified, though the EPSS score of 0.01% (percentile 2%) indicates minimal real-world exploitation likelihood despite the privilege escalation tag.

Docker Linux Privilege Escalation Crun
NVD GitHub VulDB
EPSS
0.0%
CVE-2022-27650 HIGH PATCH This Week

A flaw was found in crun where containers were incorrectly started with non-empty default permissions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Docker Crun Fedora Openshift Container Platform +1
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2019-18837 HIGH This Week

An issue was discovered in crun before 0.10.5. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Crun Fedora
NVD GitHub
CVSS 3.1
8.6
EPSS
1.4%
EPSS 0%
NONE Awaiting Data

crun versions 1.19 through 1.26 misparse the `-u` (--user) option during container execution, causing a numeric UID value of 1 to be incorrectly interpreted as UID 0 (root) instead, resulting in privilege escalation where containerized processes execute with root privileges instead of the intended unprivileged user. The vulnerability affects the containers/crun OCI runtime container (cpe:2.3:a:containers:crun:*:*:*:*:*:*:*:*) and has been patched in version 1.27. No public exploit code or active exploitation has been identified, though the EPSS score of 0.01% (percentile 2%) indicates minimal real-world exploitation likelihood despite the privilege escalation tag.

Docker Linux Privilege Escalation +1
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was found in crun where containers were incorrectly started with non-empty default permissions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Docker Crun +3
NVD GitHub
EPSS 1% CVSS 8.6
HIGH This Week

An issue was discovered in crun before 0.10.5. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Crun Fedora
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy