{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30892", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-06T00:04:56.701Z", "datePublished": "2026-03-25T23:57:01.741Z", "dateUpdated": "2026-03-26T18:10:16.318Z"}, "containers": {"cna": {"title": "Crun incorrectly parses `crun exec` option `-u`, leading to privilege escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj"}, {"name": "https://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b01", "tags": ["x_refsource_MISC"], "url": "https://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b01"}, {"name": "https://github.com/containers/crun/releases/tag/1.27", "tags": ["x_refsource_MISC"], "url": "https://github.com/containers/crun/releases/tag/1.27"}], "affected": [{"vendor": "containers", "product": "crun", "versions": [{"version": ">= 1.19, < 1.27", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:57:01.741Z"}, "descriptions": [{"lang": "en", "value": "crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue."}], "source": {"advisory": "GHSA-4vg2-xjqj-7chj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:09:51.829145Z", "id": "CVE-2026-30892", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:10:16.318Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30892", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:09:51.829145Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:09:59.199Z"}}], "cna": {"title": "Crun incorrectly parses `crun exec` option `-u`, leading to privilege escalation", "source": {"advisory": "GHSA-4vg2-xjqj-7chj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0, "attackVector": "LOCAL", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "containers", "product": "crun", "versions": [{"status": "affected", "version": ">= 1.19, < 1.27"}]}], "references": [{"url": "https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj", "name": "https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b01", "name": "https://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b01", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/containers/crun/releases/tag/1.27", "name": "https://github.com/containers/crun/releases/tag/1.27", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:57:01.741Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30892", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:10:16.318Z", "dateReserved": "2026-03-06T00:04:56.701Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T23:57:01.741Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:crun_project:crun:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD451ABD-D466-4EB5-969D-E7D5844BDAA8", "versionEndExcluding": "1.27", "versionStartIncluding": "1.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue."}, {"lang": "es", "value": "crun es un entorno de ejecuci\u00f3n de contenedores OCI de c\u00f3digo abierto escrito \u00edntegramente en C. En las versiones 1.19 a 1.26, la opci\u00f3n `-u` (`--user`) de `crun exec` se analiza de forma incorrecta. El valor `1` se interpreta como UID 0 y GID 0, cuando deber\u00eda haber sido UID 1 y GID 0. Por lo tanto, el proceso se ejecuta con privilegios m\u00e1s elevados de lo esperado. La versi\u00f3n 1.27 corrige el problema."}], "id": "CVE-2026-30892", "lastModified": "2026-03-27T20:29:27.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 0.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T00:16:38.953", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b01"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/containers/crun/releases/tag/1.27"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "crun: crun: Privilege escalation due to incorrect parsing of the `--user` option", "id": "2451576", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451576"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-115", "details": ["crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue.", "A flaw was found in crun, an open-source OCI Container Runtime. A local user can exploit this vulnerability due to incorrect parsing of the `--user` option when using `crun exec`. The value `1` is misinterpreted as root privileges (User ID 0 and Group ID 0) instead of the intended User ID 1 and Group ID 0. This allows a process to run with higher privileges than expected, leading to privilege escalation."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-30892", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "crun", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:rhel8/crun", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "crun", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "crun", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-25T23:57:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30892\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30892\nhttps://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b01\nhttps://github.com/containers/crun/releases/tag/1.27\nhttps://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.19,1.27)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "crun", "vendor": "containers"}], "analysis": {"en": {"generated_at": "2026-03-27T14:21:32.892791+00:00", "value": {"mitigation_remediation": ["Upgrade crun to version 1.27 or later to apply the security fix."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects crun, the open\u2011source OCI container runtime from the Crun Project, in releases 1.19 through 1.26. Version 1.27 and later contain the fix.", "description_and_impact": "An flaw in the crun container runtime\u2019s exec command incorrectly interprets the user option \u2013u/--user, causing the value \"1\" to be treated as UID 0 rather than UID 1. The result is that a process started inside a container runs with full root privileges. This is an example of CWE\u2011115 (incorrect validation of input) and CWE\u2011269 (identity confusion).", "risk_and_exploitability": "The EPSS score is below 1% and the flaw is not listed in CISA\u2019s KEV catalog, suggesting few observed exploits to date. Nonetheless, the potential impact is severe because privilege escalation from a non\u2011root container process to UID 0 can compromise the host. The attack is likely local; any user able to invoke crun exec with the erroneous -u option can exploit it. If the runtime is accessible from untrusted networks, the risk grows. Applying the patched release or disabling the errant option removes the threat."}}}}, "created": "2026-03-26T11:31:01.259349+00:00", "updated": "2026-03-27T15:47:48.185658+00:00", "vendors": ["containers", "containers$PRODUCT$crun"]}