CVE-2025-2713 – This CVE describes a local privilege escalation... (How to Fix)

📋 TL;DR

This CVE describes a local privilege escalation vulnerability in Google gVisor's runsc component where incorrect file permission handling allowed unprivileged users to access restricted files. The vulnerability occurred because processes initially ran with elevated permissions before the first fork. This affects systems using vulnerable versions of gVisor's runsc component.

💻 Affected Systems

Products:

Google gVisor runsc

Versions: Versions prior to the fix commit 586c38d70081b13b2ed494cef48e99b93956843e

Operating Systems: Linux systems running gVisor

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using gVisor's runsc component. Standard Docker/containerd runtimes are not affected.

📦 What is this software?

Gvisor by Google

View all CVEs affecting Gvisor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access could escalate privileges to root-equivalent level, potentially gaining full control over the container environment and accessing sensitive host files.

🟠

Likely Case

Local users could access files they shouldn't have permission to view, potentially exposing configuration files, secrets, or other sensitive data within the container environment.

🟢

If Mitigated

With proper container isolation and minimal user privileges, impact would be limited to the container's filesystem rather than the host system.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring existing access to the system.

🏢 Internal Only: MEDIUM - Internal users with container access could exploit this to escalate privileges within container environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and knowledge of the vulnerability. The attacker needs to be able to run processes within the container environment.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 586c38d70081b13b2ed494cef48e99b93956843e and later

Vendor Advisory: https://github.com/google/gvisor/commit/586c38d70081b13b2ed494cef48e99b93956843e

Restart Required: No

Instructions:

1. Update gVisor to version containing commit 586c38d70081b13b2ed494cef48e99b93956843e
2. Rebuild and redeploy containers using the updated runsc component
3. Verify the fix by checking runsc version

🔧 Temporary Workarounds

Restrict container privileges

all

Run containers with minimal privileges using security contexts and user namespaces

docker run --user 1000:1000 --security-opt=no-new-privileges image_name

🧯 If You Can't Patch

Implement strict access controls to limit who can run containers on affected systems
Monitor for suspicious file access patterns within container environments

🔍 How to Verify

Check if Vulnerable:

Check if runsc version predates commit 586c38d70081b13b2ed494cef48e99b93956843e

Check Version:

runsc --version

Verify Fix Applied:

Verify runsc version includes commit 586c38d70081b13b2ed494cef48e99b93956843e or later

📡 Detection & Monitoring

Log Indicators:

Unexpected file access patterns from non-privileged users in container logs
Failed permission checks in gVisor/runsc logs

Network Indicators:

N/A - Local privilege escalation

SIEM Query:

search for 'permission denied' or 'access violation' in container runtime logs from non-root users

📊 Metadata

CVE ID: CVE-2025-2713

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-266

EPSS Score: 0.02% exploit probability (4.4th percentile)

Published: March 28, 2025

Last Updated: September 26, 2025

🔗 References

https://github.com/google/gvisor/commit/586c38d70081b13b2ed494cef48e99b93956843e Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2713, you might also want to check these: