-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| users | rust | >= 0.8.0, <= 0.11.0 |
RustRustMiggo AIRoot Cause AnalysisThe vulnerability lies in the way the users crate, specifically within its Unix-like OS implementation, determines the group access list for a process. The function group_access_list (or a similar function responsible for this task, often found in src/base.rs or src/os/unix.rs in such crates) pre-allocates a buffer of 1024 gid_t elements, initializing them to 0 (which is the group ID for root). It then calls the libc::getgroups C function to fill this buffer with the actual supplementary group IDs of the process. The critical flaw occurs if the process belongs to fewer than 1024 groups. In this scenario, libc::getgroups writes the actual group IDs to the beginning of the buffer but leaves the remaining elements as 0. The Rust code then iterates over the entire 1024-element buffer, not just the portion filled by getgroups. This results in the root group (GID 0) being incorrectly added to the list of groups for the process if any of the trailing, un-overwritten buffer elements are processed. Although a deduplication step exists, it only removes consecutive duplicates, so if legitimate groups intersperse the erroneous root entries, root might still appear in the final list. This could lead to privilege escalation if software relies on this list for authorization decisions, mistakenly granting root privileges.
Ongoing coverage of React2Shell