Login Sign Up

CVE-2020-27352

9.3 CRITICAL

📋 TL;DR

A privilege escalation vulnerability in snapd's systemd service unit generation allows Docker containers within snaps to gain unintended privileges. When systemd reloads units without Delegate=yes, container processes can be moved into the main snap daemon's cgroup. This affects systems running Docker or similar container snaps via snapd.

💻 Affected Systems

Products:
  • snapd
  • docker snap
  • similar container snaps
Versions: snapd versions before 2.48.1
Operating Systems: Ubuntu, Linux distributions using snapd
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using snap packages for Docker or similar container runtimes.

📦 What is this software?

Snapd by Canonical

View all CVEs affecting Snapd →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Container breakout leading to full host compromise, allowing attackers to execute arbitrary code with root privileges on the underlying system.

🟠

Likely Case

Container privilege escalation enabling unauthorized access to host resources, potentially compromising other containers or services.

🟢

If Mitigated

Limited impact with proper container isolation and security controls, though some privilege escalation risk remains.

🌐 Internet-Facing: MEDIUM - Exploitation requires access to a vulnerable container, which may be exposed via web services or APIs.
🏢 Internal Only: HIGH - Internal attackers or compromised containers can exploit this to escalate privileges within the environment.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to a container within a vulnerable snap. Public proof-of-concept demonstrates the privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: snapd 2.48.1 and later

Vendor Advisory: https://ubuntu.com/security/notices/USN-4728-1

Restart Required: Yes

Instructions:

1. Update snapd: sudo snap refresh snapd
2. Update affected snaps: sudo snap refresh docker
3. Restart affected services: sudo systemctl restart snap.docker.dockerd

🔧 Temporary Workarounds

Disable affected snaps

linux

Temporarily disable Docker or other affected snaps until patched.

sudo snap disable docker

Use alternative Docker installation

linux

Switch to Docker installed via apt or other package managers instead of snap.

sudo snap remove docker
sudo apt install docker.io

🧯 If You Can't Patch

  • Implement strict container isolation policies and limit container capabilities.
  • Monitor container behavior for privilege escalation attempts and restrict container-to-host interactions.

🔍 How to Verify

Check if Vulnerable:

Check snapd version: snap version | grep snapd

Check Version:

snap version | grep snapd

Verify Fix Applied:

Verify snapd version is 2.48.1 or higher: snap version | grep snapd

📡 Detection & Monitoring

Log Indicators:

  • Unusual process movements between cgroups in systemd logs
  • Container processes appearing in snap daemon cgroup

Network Indicators:

  • Unexpected network connections from containers to host services

SIEM Query:

source="systemd" AND "cgroup" AND ("move" OR "delegate")

📊 Metadata

CVE ID: CVE-2020-27352
CVSS v3 Score: 9.3 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-269
Published: June 21, 2024
Last Updated: August 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27352, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)