runc 1.0.0-rc95 through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to `libcontainer/rootfs_linux.go`. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.

Affected Packages

Go github.com/opencontainers/runc

Affected versions: 1.0.0-rc95 (fixed in 1.1.5)

Related CVEs

CVE-2023-27561

Key Information

GHSA ID

GHSA-vpvm-3wq2-2wvm

Published

March 3, 2023 9:30 PM

Last Modified

December 6, 2024 3:31 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/opencontainers/runc

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 18, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.