x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2025-27612

[GoVulnBot]

Advisory CVE-2025-27612 references a vulnerability in the following Go modules:

Module
github.com/opencontainers/runc

Description:
libcontainer is a library for container control. Prior to libcontainer 0.5.3, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabilities of the tenant container. However, setting inherited caps in any case for tenant container can lead to elevation of capabilities, similar to CVE-2022-29162. This does not affect youki binary itself. This is only applicable if you are...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-27612
• FIX: youki-dev/youki@747e342
• WEB: GHSA-f3fp-gc8g-vw66
• WEB: https://github.com/youki-dev/youki/blob/9e63fa4da1672a78ca45100f3059a732784a5174/crates/libcontainer/src/container/tenant_builder.rs#L408
• WEB: GHSA-5w4j-f78p-4wh9

Cross references:

• github.com/opencontainers/runc appears in 13 other report(s):
  • data/reports/GO-2021-0070.yaml (dummy issue #70)
  • data/reports/GO-2021-0085.yaml (dummy issue #85)
  • data/reports/GO-2021-0087.yaml (dummy issue #87)
  • data/reports/GO-2022-0274.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2021-43784 #274)
  • data/reports/GO-2022-0396.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-g54h-m393-cpwq #396)
  • data/reports/GO-2022-0452.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2022-29162 #452)
  • data/reports/GO-2022-0835.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-gp4j-w3vj-7299 #835)
  • data/reports/GO-2022-0914.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2021-30465, GHSA-c3xm-pvg7-gh7r #914)
  • data/reports/GO-2023-1627.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-vpvm-3wq2-2wvm #1627)
  • data/reports/GO-2023-1682.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2023-25809 #1682)
  • data/reports/GO-2023-1683.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2023-28642 #1683)
  • data/reports/GO-2024-2491.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2024-21626 #2491)
  • data/reports/GO-2024-3110.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-jfvp-7x6p-h2pv #3110)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/opencontainers/runc
      vulnerable_at: 1.2.6
summary: CVE-2025-27612 in github.com/opencontainers/runc
cves:
    - CVE-2025-27612
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-27612
    - fix: https://github.com/youki-dev/youki/commit/747e342d2026fbf3a395db3e2a491ebef00082f1
    - web: https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66
    - web: https://github.com/youki-dev/youki/blob/9e63fa4da1672a78ca45100f3059a732784a5174/crates/libcontainer/src/container/tenant_builder.rs#L408
    - web: https://github.com/youki-dev/youki/security/advisories/GHSA-5w4j-f78p-4wh9
source:
    id: CVE-2025-27612
    created: 2025-03-21T16:01:32.053908211Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/660559 mentions this issue: data/reports: add 28 reports

[gopherbot]

Change https://go.dev/cl/661075 mentions this issue: data/reports: withdraw 1 report

[thatnealpatel]

Not Go code;
https://nvd.nist.gov/vuln/detail/CVE-2025-27612 lists GHSA-f3fp-gc8g-vw66 which caused automation to flag as Go.

See #3578 for details.