{"id":"CVE-2023-27561","details":"runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.","aliases":["GHSA-vpvm-3wq2-2wvm","GO-2023-1627"],"modified":"2026-03-20T12:26:55.761836Z","published":"2023-03-03T19:15:11.330Z","related":["ALSA-2023:6380","ALSA-2023:6938","ALSA-2023:6939","CGA-rw9v-3gfv-r4r4","MGASA-2023-0125","SUSE-SU-2023:1726-1","SUSE-SU-2023:2003-1","openSUSE-SU-2024:12826-1","openSUSE-SU-2024:12992-1","openSUSE-SU-2025:15424-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241206-0004/"},{"type":"REPORT","url":"https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334"},{"type":"REPORT","url":"https://github.com/opencontainers/runc/issues/3751"},{"type":"EVIDENCE","url":"https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opencontainers/runc","events":[{"introduced":"0"},{"fixed":"f19387a6bec4944c770f7668ab51c4348d9c2f38"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.1.5"}]}}],"versions":["v0.0.1","v0.0.2","v0.0.3","v0.0.4","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.0.9","v0.1.0","v0.1.1","v1.0.0","v1.0.0-rc1","v1.0.0-rc10","v1.0.0-rc2","v1.0.0-rc3","v1.0.0-rc4","v1.0.0-rc5","v1.0.0-rc6","v1.0.0-rc7","v1.0.0-rc8","v1.0.0-rc9","v1.0.0-rc90","v1.0.0-rc91","v1.0.0-rc92","v1.0.0-rc93","v1.0.0-rc94","v1.0.0-rc95","v1.1.0","v1.1.0-rc.1","v1.1.1","v1.1.2","v1.1.3","v1.1.4"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-27561.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}