CVE-2026-30892

Published: Mar 26, 2026Modified: Mar 27, 2026

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue.

Affected (1)

Products: Crun Project: Crun

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Crun Project Crun	From 1.19 to 1.27

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (3)

https://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b01

Source: security-advisories@github.com

Patch

https://github.com/containers/crun/releases/tag/1.27

Source: security-advisories@github.com

Product

https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.