VulnerableCode Package Details - pkg:golang/github.com/opencontainers/runc@1.1.5

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jc1e-8tt4-xqdn	Opencontainers runc Incorrect Authorization vulnerability runc 1.0.0-rc95 through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to `libcontainer/rootfs_linux.go`. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.	CVE-2023-27561 GHSA-vpvm-3wq2-2wvm
VCID-seds-dzew-jyfs	runc AppArmor bypass with symlinked /proc ### Impact It was found that AppArmor, and potentially SELinux, can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. ### Patches Fixed in runc v1.1.5, by prohibiting symlinked `/proc`: https://github.com/opencontainers/runc/pull/3785 This PR fixes CVE-2023-27561 as well. ### Workarounds Avoid using an untrusted container image.	CVE-2023-28642 GHSA-g2j6-57v7-gm8c
VCID-v2ys-xbn5-guh4	rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc ### Impact It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker\|podman\|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) 2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare) A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. ### Patches v1.1.5 (planned) ### Workarounds - Condition 1: Unshare the cgroup namespace (`(docker\|podman\|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. - Condition 2 (very rare): add `/sys/fs/cgroup` to `maskedPaths`	CVE-2023-25809 GHSA-m8cg-xc2p-r3fc

Vulnerability

Summary

Aliases

VCID-jc1e-8tt4-xqdn

Opencontainers runc Incorrect Authorization vulnerability runc 1.0.0-rc95 through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to `libcontainer/rootfs_linux.go`. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.

CVE-2023-27561
GHSA-vpvm-3wq2-2wvm

VCID-seds-dzew-jyfs

runc AppArmor bypass with symlinked /proc ### Impact It was found that AppArmor, and potentially SELinux, can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. ### Patches Fixed in runc v1.1.5, by prohibiting symlinked `/proc`: https://github.com/opencontainers/runc/pull/3785 This PR fixes CVE-2023-27561 as well. ### Workarounds Avoid using an untrusted container image.

CVE-2023-28642
GHSA-g2j6-57v7-gm8c

VCID-v2ys-xbn5-guh4

rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc ### Impact It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) 2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare) A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. ### Patches v1.1.5 (planned) ### Workarounds - Condition 1: Unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. - Condition 2 (very rare): add `/sys/fs/cgroup` to `maskedPaths`

CVE-2023-25809
GHSA-m8cg-xc2p-r3fc

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:58:43.760188+00:00	GithubOSV Importer	Fixing	VCID-jc1e-8tt4-xqdn	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-vpvm-3wq2-2wvm/GHSA-vpvm-3wq2-2wvm.json	38.0.0
2026-04-01T12:58:37.877750+00:00	GithubOSV Importer	Fixing	VCID-seds-dzew-jyfs	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-g2j6-57v7-gm8c/GHSA-g2j6-57v7-gm8c.json	38.0.0
2026-04-01T12:58:31.486505+00:00	GithubOSV Importer	Fixing	VCID-v2ys-xbn5-guh4	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-m8cg-xc2p-r3fc/GHSA-m8cg-xc2p-r3fc.json	38.0.0