{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-57851", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-08-21T14:40:40.822Z", "datePublished": "2026-04-08T13:55:00.925Z", "dateUpdated": "2026-05-01T20:44:04.799Z"}, "containers": {"cna": {"title": "Mce: privilege escalation via excessive /etc/passwd permissions", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container."}], "affected": [{"vendor": "Red Hat", "product": "Multicluster Engine for Kubernetes", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "multicluster-engine/agent-service-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:multicluster_engine"]}, {"vendor": "Red Hat", "product": "Multicluster Engine for Kubernetes", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "multicluster-engine/assisted-service-8-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:multicluster_engine"]}, {"vendor": "Red Hat", "product": "Multicluster Engine for Kubernetes", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "multicluster-engine/assisted-service-9-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:multicluster_engine"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-57851", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391104", "name": "RHBZ#2391104", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-08T13:45:54.565Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-276: Incorrect Default Permissions", "timeline": [{"lang": "en", "time": "2025-08-26T18:44:31.833Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-08T13:45:54.565Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-01T20:44:04.799Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:18:31.297261Z", "id": "CVE-2025-57851", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:18:38.990Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-57851", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T15:18:31.297261Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:18:35.640Z"}}], "cna": {"title": "Mce: privilege escalation via excessive /etc/passwd permissions", "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:multicluster_engine"], "vendor": "Red Hat", "product": "Multicluster Engine for Kubernetes", "packageName": "multicluster-engine/agent-service-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:multicluster_engine"], "vendor": "Red Hat", "product": "Multicluster Engine for Kubernetes", "packageName": "multicluster-engine/assisted-service-8-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:multicluster_engine"], "vendor": "Red Hat", "product": "Multicluster Engine for Kubernetes", "packageName": "multicluster-engine/assisted-service-9-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-08-26T18:44:31.833Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-08T13:45:54.565Z", "value": "Made public."}], "datePublic": "2026-04-08T13:45:54.565Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-57851", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391104", "name": "RHBZ#2391104", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "Incorrect Default Permissions"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-01T20:44:04.799Z"}, "x_redhatCweChain": "CWE-276: Incorrect Default Permissions"}}, "cveMetadata": {"cveId": "CVE-2025-57851", "state": "PUBLISHED", "dateUpdated": "2026-05-01T20:44:04.799Z", "dateReserved": "2025-08-21T14:40:40.822Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-08T13:55:00.925Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:-:*:*:*:*:*:*:*", "matchCriteriaId": "7301AD20-0188-463F-9386-9D878AD3A542", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container."}], "id": "CVE-2025-57851", "lastModified": "2026-05-01T20:30:13.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T14:16:25.817", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2025-57851"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391104"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.", "bugzilla": {"description": "mce: privilege escalation via excessive /etc/passwd permissions", "id": "2391104", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391104"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-276", "details": ["A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container."], "name": "CVE-2025-57851", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Will not fix", "package_name": "multicluster-engine/agent-service-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-service-8-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-service-9-rhel9", "product_name": "Multicluster Engine for Kubernetes"}], "public_date": "2026-04-08T13:45:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-57851\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-57851"], "statement": "Red Hat Product Security has rated this vulnerability as moderate severity for affected products which run on OpenShift. The vulnerability allows for potential privilege escalation within a container, but OpenShift's default, multi-layered security posture effectively mitigates this risk. \nThe primary controls include the default Security Context Constraints (SCC), which severely limit a container's permissions from the start, and SELinux, which enforces mandatory access control to ensure strict isolation. While other container runtime environments may have different controls available and require case-by-case analysis, OpenShift's built-in defenses are designed to prevent this type of attack.\nOut of Box RHEL configuration isolates a single process inside a container. Unless multiple processes are packaged inside a single container, that defeats the principle behind containerization, this bug can not be used to meaningfully escalate privileges.\nAlso, RHEL, and any common linux distributions do NOT add any additional users to the root group. The presence of the root group is strictly due to conformance with POSIX permission management requirements and can be considered to be an artifact of filesystem permission limitations.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Multicluster Engine for Kubernetes", "source": "cna", "vendor": "Red Hat"}, "product": "multicluster_engine_for_kubernetes", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-08T15:21:20.552968+00:00", "value": {"mitigation_remediation": ["Apply the patched Multicluster Engine for Kubernetes image released by Red\u00a0Hat that makes /etc/passwd read\u2011only.", "Verify that none of the container images in use contain group\u2011writable /etc/passwd by inspecting file permissions.", "Restrict the root group within containers so that non\u2011root users cannot be members, or run containers with the least privilege.", "Monitor container activity for unexpected elevation attempts and review audit logs.", "If no patch is available immediately, temporarily disable routine processes that modify /etc/passwd from within containers."], "summary": {"action": "Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to all Red\u00a0Hat Multicluster Engine for Kubernetes images that include the group\u2011writable /etc/passwd. No specific product version information was supplied, so any image of this product lacking the patch remains vulnerable.", "description_and_impact": "A flaw during the construction of certain Multicluster Engine for Kubernetes images creates the /etc/passwd file as writable by the root group. An attacker with the ability to execute commands inside the container, even as a non\u2011root user, and who is a member of the root group, can modify this file. By inserting a new user entry with a chosen UID\u2014particularly UID\u00a00\u2014the attacker can gain full root privileges within the container, enabling arbitrary code execution and data tampering inside the container environment.", "risk_and_exploitability": "With a CVSS score of 6.4, the issue is considered medium severity. Exploitation requires the attacker to have some level of command execution within the container and membership in the root group; no EPSS data is available and the vulnerability is not listed in CISA\u2019s KEV catalog. While the attack is limited to containers with writable group permissions on /etc/passwd, gaining container root access poses a significant risk to the confidentiality, integrity, and availability of the containerized workloads."}}}}, "created": "2026-04-08T19:26:59.941336+00:00", "updated": "2026-04-08T19:39:28.372556+00:00", "vendors": ["redhat", "redhat$PRODUCT$multicluster_engine_for_kubernetes"]}