Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-997v-f2ds-e3e4
Vulnerability ID VCID-997v-f2ds-e3e4
Aliases CVE-2019-19921
GHSA-fh74-hm69-rqjw
Summary Multiple vulnerabilities have been discovered in runC, the worst of which may lead to privilege escalation.
Status Published
Exploitability 0.5
Weighted Severity 6.3
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-706 Use of Incorrectly-Resolved Name or Reference
CWE-41 Improper Resolution of Path Equivalence
System Score Found at
cvssv3.1 5.9 http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html
cvssv3.1 5.9 https://access.redhat.com/errata/RHSA-2020:0688
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2020:0688
cvssv3.1 5.9 https://access.redhat.com/errata/RHSA-2020:0695
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2020:0695
cvssv3 7.0 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19921.json
epss 0.00126 https://api.first.org/data/v1/epss?cve=CVE-2019-19921
epss 0.00126 https://api.first.org/data/v1/epss?cve=CVE-2019-19921
epss 0.00126 https://api.first.org/data/v1/epss?cve=CVE-2019-19921
epss 0.00126 https://api.first.org/data/v1/epss?cve=CVE-2019-19921
epss 0.00126 https://api.first.org/data/v1/epss?cve=CVE-2019-19921
epss 0.00126 https://api.first.org/data/v1/epss?cve=CVE-2019-19921
epss 0.00126 https://api.first.org/data/v1/epss?cve=CVE-2019-19921
epss 0.00126 https://api.first.org/data/v1/epss?cve=CVE-2019-19921
epss 0.00126 https://api.first.org/data/v1/epss?cve=CVE-2019-19921
epss 0.00126 https://api.first.org/data/v1/epss?cve=CVE-2019-19921
epss 0.00126 https://api.first.org/data/v1/epss?cve=CVE-2019-19921
cvssv3.1 5.9 https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0
generic_textual MODERATE https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0
cvssv3.1 5.9 https://github.com/opencontainers/runc/issues/2197
generic_textual MODERATE https://github.com/opencontainers/runc/issues/2197
cvssv3.1 5.9 https://github.com/opencontainers/runc/pull/2190
generic_textual MODERATE https://github.com/opencontainers/runc/pull/2190
cvssv3.1 5.9 https://github.com/opencontainers/runc/pull/2207
generic_textual MODERATE https://github.com/opencontainers/runc/pull/2207
cvssv3.1 5.9 https://github.com/opencontainers/runc/releases
generic_textual MODERATE https://github.com/opencontainers/runc/releases
cvssv3.1 5.9 https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw
generic_textual MODERATE https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw
cvssv3.1 5.9 https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
cvssv3.1 5.9 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN
cvssv3.1 5.9 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF
cvssv3.1 5.9 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD
cvssv3.1 5.9 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5
cvssv3.1 5.9 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ
cvssv3.1 5.9 https://nvd.nist.gov/vuln/detail/CVE-2019-19921
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2019-19921
cvssv3.1 5.9 https://pkg.go.dev/vuln/GO-2021-0087
generic_textual MODERATE https://pkg.go.dev/vuln/GO-2021-0087
cvssv3.1 5.9 https://security.gentoo.org/glsa/202003-21
generic_textual MODERATE https://security.gentoo.org/glsa/202003-21
cvssv3.1 5.9 https://security-tracker.debian.org/tracker/CVE-2019-19921
generic_textual MODERATE https://security-tracker.debian.org/tracker/CVE-2019-19921
cvssv3.1 5.9 https://usn.ubuntu.com/4297-1
generic_textual MODERATE https://usn.ubuntu.com/4297-1
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html
https://access.redhat.com/errata/RHSA-2020:0688
https://access.redhat.com/errata/RHSA-2020:0695
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19921.json
https://api.first.org/data/v1/epss?cve=CVE-2019-19921
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19921
https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0
https://github.com/opencontainers/runc/issues/2197
https://github.com/opencontainers/runc/pull/2190
https://github.com/opencontainers/runc/pull/2207
https://github.com/opencontainers/runc/releases
https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ
https://nvd.nist.gov/vuln/detail/CVE-2019-19921
https://pkg.go.dev/vuln/GO-2021-0087
https://security-tracker.debian.org/tracker/CVE-2019-19921
https://usn.ubuntu.com/4297-1
1796107 https://bugzilla.redhat.com/show_bug.cgi?id=1796107
GLSA-202003-21 https://security.gentoo.org/glsa/202003-21
RHSA-2020:0942 https://access.redhat.com/errata/RHSA-2020:0942
RHSA-2020:1485 https://access.redhat.com/errata/RHSA-2020:1485
USN-4297-1 https://usn.ubuntu.com/4297-1/
USN-6088-2 https://usn.ubuntu.com/6088-2/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://access.redhat.com/errata/RHSA-2020:0688
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://access.redhat.com/errata/RHSA-2020:0695
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19921.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://github.com/opencontainers/runc/issues/2197
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://github.com/opencontainers/runc/pull/2190
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://github.com/opencontainers/runc/pull/2207
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://github.com/opencontainers/runc/releases
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://nvd.nist.gov/vuln/detail/CVE-2019-19921
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://pkg.go.dev/vuln/GO-2021-0087
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://security.gentoo.org/glsa/202003-21
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://security-tracker.debian.org/tracker/CVE-2019-19921
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U Found at https://usn.ubuntu.com/4297-1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.31934
EPSS Score 0.00126
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:01:29.027000+00:00 Gentoo Importer Import https://security.gentoo.org/glsa/202003-21 38.0.0