Description
A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Published: 2026-04-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

A flaw during the construction of certain Multicluster Engine for Kubernetes images creates the /etc/passwd file as writable by the root group. An attacker with the ability to execute commands inside the container, even as a non‑root user, and who is a member of the root group, can modify this file. By inserting a new user entry with a chosen UID—particularly UID 0—the attacker can gain full root privileges within the container, enabling arbitrary code execution and data tampering inside the container environment.

Affected Systems

The vulnerability applies to all Red Hat Multicluster Engine for Kubernetes images that include the group‑writable /etc/passwd. No specific product version information was supplied, so any image of this product lacking the patch remains vulnerable.

Risk and Exploitability

With a CVSS score of 6.4, the issue is considered medium severity. Exploitation requires the attacker to have some level of command execution within the container and membership in the root group; no EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog. While the attack is limited to containers with writable group permissions on /etc/passwd, gaining container root access poses a significant risk to the confidentiality, integrity, and availability of the containerized workloads.

Generated by OpenCVE AI on April 8, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patched Multicluster Engine for Kubernetes image released by Red Hat that makes /etc/passwd read‑only.
  • Verify that none of the container images in use contain group‑writable /etc/passwd by inspecting file permissions.
  • Restrict the root group within containers so that non‑root users cannot be members, or run containers with the least privilege.
  • Monitor container activity for unexpected elevation attempts and review audit logs.
  • If no patch is available immediately, temporarily disable routine processes that modify /etc/passwd from within containers.

Generated by OpenCVE AI on April 8, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat multicluster Engine For Kubernetes
Vendors & Products Redhat multicluster Engine For Kubernetes

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Title Mce: privilege escalation via excessive /etc/passwd permissions
First Time appeared Redhat
Redhat multicluster Engine
Weaknesses CWE-276
CPEs cpe:/a:redhat:multicluster_engine
Vendors & Products Redhat
Redhat multicluster Engine
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Multicluster Engine Multicluster Engine For Kubernetes
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-08T15:18:38.990Z

Reserved: 2025-08-21T14:40:40.822Z

Link: CVE-2025-57851

cve-icon Vulnrichment

Updated: 2026-04-08T15:18:35.640Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T14:16:25.817

Modified: 2026-04-08T21:26:13.410

Link: CVE-2025-57851

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-08T13:45:54Z

Links: CVE-2025-57851 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:28Z

Weaknesses