CVE-2023-25809
CVE-2023-25809 is a medium-severity vulnerability in Linuxfoundation Runc with a CVSS 3.x base score of 5.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-281.
Key facts
- Severity: Medium (CVSS 3.x base score 5.0)
- EPSS exploit prediction: 0% (25th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-281
- Affected product: Linuxfoundation Runc
- Published:
- Last modified:
Description
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.
Frequently asked questions
- What is CVE-2023-25809?
- runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.
- How severe is CVE-2023-25809?
- CVE-2023-25809 has a CVSS 3.x base score of 5.0, rated medium severity. It is exploitable over local access with high attack complexity, requires high privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2023-25809 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (25th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-25809?
- CVE-2023-25809 affects Linuxfoundation Runc. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-25809?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-25809 published?
- CVE-2023-25809 was published on 2023-03-29 and last updated on 2026-06-17.
References
- https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17
- https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
Affected products (1)
- cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*
More vulnerabilities in Linuxfoundation Runc
- CVE-2024-21626 — High (CVSS 8.6): runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and…
- CVE-2019-5736 — High (CVSS 8.6): runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc…
- CVE-2021-30465 — High (CVSS 8.5): runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an…
- CVE-2025-31133 — High (CVSS 7.8): runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below,…
- CVE-2016-3697 — High (CVSS 7.8): libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a…
- CVE-2025-52881 — High (CVSS 7.5): runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and…
All CVEs affecting Linuxfoundation Runc →
Other CWE-281 (Improper Preservation of Permissions) vulnerabilities
- CVE-2024-36532 — Critical (CVSS 10.0): Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining…
- CVE-2024-56973 — Critical (CVSS 9.8): Insecure Permissions vulnerability in Alvaria, Inc Unified IP Unified Director before v.7.2SP2 allows a remote attacker…
- CVE-2024-46622 — Critical (CVSS 9.8): An Escalation of Privilege security vulnerability was found in SecureAge Security Suite software 7.0.x before 7.0.38,…
- CVE-2024-55507 — Critical (CVSS 9.8): An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the…
- CVE-2024-54465 — Critical (CVSS 9.8): A logic issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2. An app may be…
- CVE-2024-41650 — Critical (CVSS 9.8): Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an…
Browse all CWE-281 (Improper Preservation of Permissions) vulnerabilities →