-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
RustRustMiggo AIRoot Cause AnalysisThe vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) race condition in the youki container runtime, specifically within the handling of 'masked paths'. The libcontainer::process::init::process::masked_path function was responsible for masking files or directories inside the container, often by bind-mounting /dev/null over them.
The vulnerability stems from the function using the string path "/dev/null" directly in the mount syscall. This creates a window of opportunity for an attacker to replace /dev/null inside the container with a symbolic link pointing to an arbitrary file on the host system. When masked_path is called, the mount syscall follows this symlink, causing the targeted host file to be mounted into the container's filesystem. This can be abused for container escape.
The function libcontainer::process::init::process::container_init_process calls the vulnerable masked_path function and would be present in the call stack during exploitation.
The patch mitigates this by:
masked_path function with a new masked_paths function./dev/null using the O_PATH flag to get a file descriptor without following the final symlink component. This prevents the race condition./dev/null character device (major:1, minor:3).mount_from_fd function that performs the mount using the safe file descriptor instead of the path.libcontainer::process::init::process::masked_pathcrates/libcontainer/src/process/init/process.rs
libcontainer::process::init::process::container_init_processcrates/libcontainer/src/process/init/process.rs
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| youki | rust | < 0.5.7 | 0.5.7 |
Ongoing coverage of React2Shell