Search for packages
| purl | pkg:rpm/redhat/runc@4:1.1.9-1?arch=el9 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-e44x-a9xm-6ke9
Aliases: CVE-2022-41724 |
Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution. | There are no reported fixed by versions. |
|
VCID-jc1e-8tt4-xqdn
Aliases: CVE-2023-27561 GHSA-vpvm-3wq2-2wvm |
Opencontainers runc Incorrect Authorization vulnerability runc 1.0.0-rc95 through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to `libcontainer/rootfs_linux.go`. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. | There are no reported fixed by versions. |
|
VCID-seds-dzew-jyfs
Aliases: CVE-2023-28642 GHSA-g2j6-57v7-gm8c |
runc AppArmor bypass with symlinked /proc ### Impact It was found that AppArmor, and potentially SELinux, can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. ### Patches Fixed in runc v1.1.5, by prohibiting symlinked `/proc`: https://github.com/opencontainers/runc/pull/3785 This PR fixes CVE-2023-27561 as well. ### Workarounds Avoid using an untrusted container image. | There are no reported fixed by versions. |
|
VCID-v2ys-xbn5-guh4
Aliases: CVE-2023-25809 GHSA-m8cg-xc2p-r3fc |
rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc ### Impact It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) 2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare) A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. ### Patches v1.1.5 (planned) ### Workarounds - Condition 1: Unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. - Condition 2 (very rare): add `/sys/fs/cgroup` to `maskedPaths` | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T13:55:21.111687+00:00 | RedHat Importer | Affected by | VCID-e44x-a9xm-6ke9 | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41724.json | 38.0.0 |
| 2026-04-01T13:55:13.606761+00:00 | RedHat Importer | Affected by | VCID-jc1e-8tt4-xqdn | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27561.json | 38.0.0 |
| 2026-04-01T13:54:39.870766+00:00 | RedHat Importer | Affected by | VCID-v2ys-xbn5-guh4 | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25809.json | 38.0.0 |
| 2026-04-01T13:54:39.840438+00:00 | RedHat Importer | Affected by | VCID-seds-dzew-jyfs | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28642.json | 38.0.0 |