Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses
Filter by:
With package: ocaml-crunch

Found 1 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-30892
0.0 NONE
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 weeks, 2 days ago
Crun incorrectly parses `crun exec` option `-u`, leading to privilege escalation

crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue.

Affected products

crun
  • ==>= 1.19, < 1.27

Matching in nixpkgs

pkgs.crun

Fast and lightweight fully featured OCI runtime and C library for running containers

  • nixos-unstable 1.26
    • nixpkgs-unstable 1.26
    • nixos-unstable-small 1.26
  • nixos-25.11 1.24
    • nixos-25.11-small 1.24
    • nixpkgs-25.11-darwin 1.24

pkgs.crunch

Wordlist generator

  • nixos-unstable 3.6
    • nixpkgs-unstable 3.6
    • nixos-unstable-small 3.6
  • nixos-25.11 3.6
    • nixos-25.11-small 3.6
    • nixpkgs-25.11-darwin 3.6

Package maintainers