CVE-2025-27612: Libcontainer is affected by capabilities elevation similar to GHSA-f3fp-gc8g-vw66
In libcontainer, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. Code can be seen here . The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabilities of the tenant container.
However, GHSA-f3fp-gc8g-vw66 was opened on runc mentioning that setting inherited caps in any case for tenant container can lead to elevation of capabilities. For this, they added a fix here where they never set new inherited caps on tenant, and set ambient caps only if original container had inherited caps.
Similarly crun never sets inherited caps as can be seen here.
[!NOTE] This does not affect youki binary itself, as the exec implementation is partially broken and does not pass on the user-provided caps to tenant containers, this is only applicable if you are using libcontainer directly and using the tenant builder.
References
- github.com/advisories/GHSA-5w4j-f78p-4wh9
- github.com/containers/crun/blob/3ec6298abd79e144fbf3fa6db90793ff4c0516f9/src/exec.c
- github.com/opencontainers/runc/blob/986451c24e17c8d4be3c454f60b1f7be4af3e8b4/exec.go
- github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66
- github.com/youki-dev/youki
- github.com/youki-dev/youki/blob/9e63fa4da1672a78ca45100f3059a732784a5174/crates/libcontainer/src/container/tenant_builder.rs
- github.com/youki-dev/youki/commit/747e342d2026fbf3a395db3e2a491ebef00082f1
- github.com/youki-dev/youki/security/advisories/GHSA-5w4j-f78p-4wh9
- man7.org/linux/man-pages/man7/capabilities.7.html
- nvd.nist.gov/vuln/detail/CVE-2025-27612
Code Behaviors & Features
Detect and mitigate CVE-2025-27612 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →