5.9

CVSS Score

Basic Information

CVE ID

CVE-2025-27612

GHSA ID

GHSA-5w4j-f78p-4wh9

EPSS Score

CWE

CWE-276

Published

3/21/2025

Updated

3/21/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27612

CVE-2025-27612:
Libcontainer is affected by capabilities elevation similar to GHSA-f3fp-gc8g-vw66

Impact

In libcontainer, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. Code can be seen here . The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabilities of the tenant container.

However, GHSA-f3fp-gc8g-vw66 was opened on runc mentioning that setting inherited caps in any case for tenant container can lead to elevation of capabilities. For this, they added a fix here where they never set new inherited caps on tenant, and set ambient caps only if original container had inherited caps.

Similarly crun never sets inherited caps as can be seen here.

[!NOTE] This does not affect youki binary itself, as the exec implementation is partially broken and does not pass on the user-provided caps to tenant containers, this is only applicable if you are using libcontainer directly and using the tenant builder.

Workarounds

Do not pass any user-provided capabilities to the tenant builder, in which case no capabilities will be set on tenant.
Alternatively you can verify the capabilities of original container and filter the user passed capabilities before setting them on tenant.

References

https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66
https://man7.org/linux/man-pages/man7/capabilities.7.html

(GitHub Advisory)

5.9

CVSS Score

Basic Information

CVE ID

CVE-2025-27612

GHSA ID

GHSA-5w4j-f78p-4wh9

EPSS Score

CWE

CWE-276

Published

3/21/2025

Updated

3/21/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
libcontainer	rust

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from how capabilities were merged in TenantContainerBuilder::get_capabilities. The original implementation unconditionally added user-provided caps to inheritable/ambient sets when the main container had capabilities, violating security boundaries. The fix introduced proper checks (only setting ambient caps if original container had inheritable caps) and removed the vulnerable merging logic. The commit diff shows this function was completely replaced, and the CVE description explicitly references line 408 in tenant_builder.rs as the vulnerable code location.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In li**ont*in*r, w*il* *r**tin* * t*n*nt *ont*in*r, t** t*n*nt *uil**r ****pts * list o* **p**iliti*s to ** ***** in t** sp** o* t*n*nt *ont*in*r. *o** **n ** s**n [**r*](*ttps://*it*u*.*om/youki-**v/youki/*lo*/****************************

Reasoning

T** vuln*r**ility st*mm** *rom *ow **p**iliti*s w*r* m*r*** in T*n*nt*ont*in*r*uil**r::**t_**p**iliti*s. T** ori*in*l impl*m*nt*tion un*on*ition*lly ***** us*r-provi*** **ps to in**rit**l*/*m*i*nt s*ts w**n t** m*in *ont*in*r *** **p**iliti*s, viol*t

5.9

Basic Information

Concerned about an active attack path?

CVE-2025-27612: Libcontainer is affected by capabilities elevation similar to GHSA-f3fp-gc8g-vw66

Impact

Workarounds

References

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-27612:
Libcontainer is affected by capabilities elevation similar to GHSA-f3fp-gc8g-vw66

Vulnerability Intelligence
Miggo AI