CVE-2019-19921
MEDIUM5.9EPSS 0.19%Race condition in github.com/opencontainers/runc
Published: 5/27/2021Modified: 4/28/2026
Description
runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)
Affected packages (3)
- Debian/runcfrom 0, < 1.0.0~rc10+dfsg1-1
- Go/github.com/opencontainers/runcfrom 0, < 1.0.0-rc9.0.20200122160610-2fc03cc11c77
- Go/github.com/opencontainers/runcfrom 0, < 1.0.0-rc9.0.20200122160610-2fc03cc11c77
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U |
References (20)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-19921
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html
- WEBhttps://access.redhat.com/errata/RHSA-2020:0688
- WEBhttps://access.redhat.com/errata/RHSA-2020:0695
- WEBhttps://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0
- WEBhttps://github.com/opencontainers/runc/issues/2197
- WEBhttps://github.com/opencontainers/runc/pull/2190
- WEBhttps://github.com/opencontainers/runc/pull/2207
- WEBhttps://github.com/opencontainers/runc/releases
- WEBhttps://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw
- WEBhttps://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ
- WEBhttps://pkg.go.dev/vuln/GO-2021-0087
- WEBhttps://security.gentoo.org/glsa/202003-21
- WEBhttps://security-tracker.debian.org/tracker/CVE-2019-19921
- WEBhttps://usn.ubuntu.com/4297-1