3.3 LOW
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join string which allow an image with /dev as a symlink to trick runc into deleting files called ptmx on the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This issue is not exploitable under Docker, because Docker creates a top-level read-only layer that masks any malicious /dev symlink present in the container image — unlike some other Linux container tooling, whose higher-level runtimes built on runc remain exposed to exploitation via a malicious image. This issue has been fixed in versions 1.3.6, 1.4.3 and 1.5.0.
References
-
https://github.com/opencontainers/runc/security/advisories/GHSA-xjvp-4fhw-gc47 x_refsource_CONFIRM
-
https://github.com/opencontainers/runc/commit/864db8042dbb x_refsource_MISC
Affected products
- ==>= 1.5.0-rc.1, < 1.5.0-rc.3
- ==< 1.3.6
- ==>= 1.4.0-rc.1, < 1.4.3
Matching in nixpkgs
pkgs.nym
Mixnet providing IP-level privacy
-
nixos-unstable 2024.14-crunch-patched
- nixpkgs-unstable 2024.14-crunch-patched
- nixos-unstable-small 2024.14-crunch-patched
-
nixos-26.05 2024.14-crunch-patched
- nixos-26.05-small 2024.14-crunch-patched
- nixpkgs-26.05-darwin 2024.14-crunch-patched
pkgs.runc
CLI tool for spawning and running containers according to the OCI specification
pkgs.crunch
Wordlist generator
pkgs.git-brunch
git checkout command-line tool
pkgs.y-cruncher
Compute Pi and other constants to billions of digits
-
nixos-unstable 0.8.7.9547
- nixpkgs-unstable 0.8.7.9547
- nixos-unstable-small 0.8.7.9547
-
nixos-26.05 0.8.7.9547
- nixos-26.05-small 0.8.7.9547
- nixpkgs-26.05-darwin 0.8.7.9547
pkgs.speedcrunch
High-precision scientific calculator
-
nixos-unstable 0.12-unstable-2024-12-02
- nixpkgs-unstable 0.12-unstable-2024-12-02
- nixos-unstable-small 0.12-unstable-2024-12-02
-
nixos-26.05 0.12-unstable-2024-12-02
- nixos-26.05-small 0.12-unstable-2024-12-02
- nixpkgs-26.05-darwin 0.12-unstable-2024-12-02
pkgs.ocaml-crunch
Convert a filesystem into a static OCaml module
pkgs.untrunc-anthwlock
Restore a truncated mp4/mov (improved version of ponchio/untrunc)
-
nixos-unstable 0-unstable-2026-02-04
- nixpkgs-unstable 0-unstable-2026-02-04
- nixos-unstable-small 0-unstable-2026-06-05
-
nixos-26.05 0-unstable-2026-02-04
- nixos-26.05-small 0-unstable-2026-02-04
- nixpkgs-26.05-darwin 0-unstable-2026-02-04
pkgs.ocamlPackages.crunch
Convert a filesystem into a static OCaml module
pkgs.gnomeExtensions.runcat
The cat tells you the CPU usage by running speed
pkgs.haskellPackages.git-brunch
git checkout command-line tool
pkgs.ocamlPackages_latest.crunch
Convert a filesystem into a static OCaml module
pkgs.perlPackages.StringTruncate
Module for when strings are too long to be displayed in...
pkgs.python312Packages.truncnorm
None
pkgs.python313Packages.truncnorm
Moments for doubly truncated multivariate normal distributions
pkgs.python314Packages.truncnorm
Moments for doubly truncated multivariate normal distributions
pkgs.perl5Packages.StringTruncate
Module for when strings are too long to be displayed in...
pkgs.haskellPackages.html-truncate
A HTML truncator
pkgs.perl538Packages.StringTruncate
None
pkgs.perl540Packages.StringTruncate
None
pkgs.vscode-extensions.42crunch.vscode-openapi
Visual Studio Code extension with rich support for the OpenAPI Specification (OAS)
-
nixos-unstable 42Crunch-vscode-openapi-4.40.0
- nixpkgs-unstable 42Crunch-vscode-openapi-4.40.0
- nixos-unstable-small 42Crunch-vscode-openapi-4.40.0
-
nixos-26.05 42Crunch-vscode-openapi-4.40.0
- nixos-26.05-small 42Crunch-vscode-openapi-4.40.0
- nixpkgs-26.05-darwin 42Crunch-vscode-openapi-4.40.0
Package maintainers
-
@honnip Jung seungwoo <me@honnip.page>
-
@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>
-
@vbgl Vincent Laporte <Vincent.Laporte@gmail.com>
-
@jluttine Jaakko Luttinen <jaakko.luttinen@iki.fi>
-
@saschagrunert Sascha Grunert <mail@saschagrunert.de>
-
@vdemeester Vincent Demeester <vincent@sbr.pm>
-
@j0hax Johannes Arnold <johannes.arnold@stud.uni-hannover.de>
-
@romildo José Romildo Malaquias <malaquias@gmail.com>
-
@benhiemer Benedikt Hiemer <ben.email@posteo.de>