{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30892", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-06T00:04:56.701Z", "datePublished": "2026-03-25T23:57:01.741Z", "dateUpdated": "2026-03-26T18:10:16.318Z"}, "containers": {"cna": {"title": "Crun incorrectly parses `crun exec` option `-u`, leading to privilege escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj"}, {"name": "https://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b01", "tags": ["x_refsource_MISC"], "url": "https://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b01"}, {"name": "https://github.com/containers/crun/releases/tag/1.27", "tags": ["x_refsource_MISC"], "url": "https://github.com/containers/crun/releases/tag/1.27"}], "affected": [{"vendor": "containers", "product": "crun", "versions": [{"version": ">= 1.19, < 1.27", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:57:01.741Z"}, "descriptions": [{"lang": "en", "value": "crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue."}], "source": {"advisory": "GHSA-4vg2-xjqj-7chj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:09:51.829145Z", "id": "CVE-2026-30892", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:10:16.318Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30892", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:09:51.829145Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:09:59.199Z"}}], "cna": {"title": "Crun incorrectly parses `crun exec` option `-u`, leading to privilege escalation", "source": {"advisory": "GHSA-4vg2-xjqj-7chj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0, "attackVector": "LOCAL", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "containers", "product": "crun", "versions": [{"status": "affected", "version": ">= 1.19, < 1.27"}]}], "references": [{"url": "https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj", "name": "https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b01", "name": "https://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b01", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/containers/crun/releases/tag/1.27", "name": "https://github.com/containers/crun/releases/tag/1.27", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:57:01.741Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30892", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:10:16.318Z", "dateReserved": "2026-03-06T00:04:56.701Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T23:57:01.741Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:crun_project:crun:*:*:*:*:*:*:*:*", "matchCriteriaId": "E635F914-7CF7-4523-8934-12381C6B69FA", "versionEndIncluding": "1.27", "versionStartIncluding": "1.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue."}, {"lang": "es", "value": "crun es un entorno de ejecuci\u00f3n de contenedores OCI de c\u00f3digo abierto escrito \u00edntegramente en C. En las versiones 1.19 a 1.26, la opci\u00f3n `-u` (`--user`) de `crun exec` se analiza de forma incorrecta. El valor `1` se interpreta como UID 0 y GID 0, cuando deber\u00eda haber sido UID 1 y GID 0. Por lo tanto, el proceso se ejecuta con privilegios m\u00e1s elevados de lo esperado. La versi\u00f3n 1.27 corrige el problema."}], "id": "CVE-2026-30892", "lastModified": "2026-03-26T20:53:32.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 0.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T00:16:38.953", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b01"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/containers/crun/releases/tag/1.27"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.19,1.27)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "crun", "vendor": "containers"}], "analysis": {"en": {"generated_at": "2026-03-26T04:21:32.448935+00:00", "value": {"mitigation_remediation": ["Upgrade crun to version 1.27 or later, which corrects the user parsing bug."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The product affected is the crun container runtime provided by the containers:crun vendor. Versions 1.19 to 1.26 are impacted because they contain the parsing error. Version 1.27 and later include a patch that corrects the user interpretation.", "description_and_impact": "crun, an OCI container runtime written in C, contains a flaw in versions 1.19 through 1.26 where the -u (or --user) option of the crun exec command is parsed incorrectly. The value supplied as 1 is interpreted as UID 0, giving the executing process administrative privileges instead of the intended UID 1. This leads to a direct privilege escalation scenario identified as CWE-269.", "risk_and_exploitability": "The vulnerability is exploitable only when an attacker can invoke crun exec with the -u option, which is inferred to be possible if the attacker has permission to run crun commands in the environment. If such access exists, a single command can elevate privileges within the container. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog, but the impact is severe because it allows uncontrolled privilege escalation. Attacks are likely local and straightforward once the execution command is reachable."}}}}, "created": "2026-03-26T11:31:01.259349+00:00", "updated": "2026-03-26T12:09:03.197819+00:00", "vendors": ["containers", "containers$PRODUCT$crun"]}