CVE-2016-9962: Information Exposure in RunC
6.4
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.43307%
CWE
Published
12/20/2021
Updated
1/9/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/opencontainers/runc | go | <= 1.0.0-rc2 | 1.0.0-rc3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from two issues: 1) Processes created via 'runc exec' were not marked as non-dumpable (via prctl PR_SET_DMPUABLE), allowing ptrace access. 2) The stateDirFD file descriptor wasn't closed before execve, creating a race condition where PID 1 could access host files through open FDs. The patches (50a19c6/5d93fed) explicitly add PR_SET_DUMPABLE in nsexec.c and close stateDirFD in both init paths, confirming these were the vulnerable areas. The commit messages and CWE-200 mapping directly correlate to these code changes.