CVE-2025-27612
📋 TL;DR
This vulnerability in libcontainer allows tenant containers to inherit capabilities from the main container, potentially leading to privilege escalation. Only users who directly use libcontainer's tenant builder functionality are affected. The youki binary itself is not vulnerable.
💻 Affected Systems
- libcontainer (youki project)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could gain elevated capabilities within a tenant container, potentially breaking container isolation and accessing host resources or other containers.
Likely Case
Accidental capability inheritance leading to unintended container permissions and potential security boundary violations.
If Mitigated
With proper capability restrictions and container isolation controls, impact would be limited to the specific tenant container.
🎯 Exploit Status
Exploitation requires understanding of libcontainer's tenant builder API and container capability management.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libcontainer 0.5.3
Vendor Advisory: https://github.com/youki-dev/youki/security/advisories/GHSA-5w4j-f78p-4wh9
Restart Required: Yes
Instructions:
1. Update libcontainer dependency to version 0.5.3 or later. 2. Rebuild any applications using libcontainer. 3. Restart containers using the updated library.
🔧 Temporary Workarounds
Avoid tenant builder usage
linuxDo not use libcontainer's tenant builder functionality until patched
Capability restriction
linuxExplicitly set minimal capabilities for tenant containers
Set minimal capabilities in tenant container spec: "capabilities": {"bounding": ["CAP_CHOWN"], ...}
🧯 If You Can't Patch
- Audit all usage of libcontainer's tenant builder and ensure minimal capabilities are set
- Implement additional container isolation controls and monitor for unusual capability usage
🔍 How to Verify
Check if Vulnerable:
Check libcontainer version in Cargo.toml or run: cargo tree | grep libcontainerCheck Version:
cargo tree | grep libcontainerVerify Fix Applied:
Verify libcontainer version is 0.5.3 or later: cargo tree | grep "libcontainer 0.5.3"📡 Detection & Monitoring
Log Indicators:
- Unusual capability assignments in container creation logs
- Tenant containers running with unexpected capabilities
Network Indicators:
- None specific - this is a local privilege issue
SIEM Query:
Search for container creation events with tenant builder usage and capability modifications🔗 References
- https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66
- https://github.com/youki-dev/youki/blob/9e63fa4da1672a78ca45100f3059a732784a5174/crates/libcontainer/src/container/tenant_builder.rs#L408
- https://github.com/youki-dev/youki/commit/747e342d2026fbf3a395db3e2a491ebef00082f1
- https://github.com/youki-dev/youki/security/advisories/GHSA-5w4j-f78p-4wh9
