CVE-2025-27612
MEDIUMlibcontainer < 0.5.3 - Incorrect Default Permissions via Tenant Builder Capability Inheritance
Title source: llmDescription
libcontainer is a library for container control. Prior to libcontainer 0.5.3, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabilities of the tenant container. However, setting inherited caps in any case for tenant container can lead to elevation of capabilities, similar to CVE-2022-29162. This does not affect youki binary itself. This is only applicable if you are using libcontainer directly and using the tenant builder.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/youki-dev/youki/security/advisories/GHSA-5w4j-f78p-4wh9
Vendor Advisory x_refsource_misc
https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66
Patch x_refsource_misc
https://github.com/youki-dev/youki/commit/747e342d2026fbf3a395db3e2a491ebef00082f1
Scores
CVSS v3
5.9
EPSS
0.0015
EPSS Percentile
5.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-276
Status
published
Products (2)
crates.io/libcontainer
0 - 0.5.3crates.io
youki-dev/youki
< 0.5.3
Published
Mar 21, 2025
Tracked Since
Feb 18, 2026