CVE-2025-2713

Google gVisor's runsc component exhibited a local privilege escalation vulnerability due to incorrect handling of file access permissions, which allowed unprivileged users to access restricted files. This occurred because the process initially ran with root-like permissions until the first fork.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
GoogleCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
VendorProductVersion
googlegvisor
𝑥
< 20240325.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-gvisor-gvisor
bookworm
no-dsa
forky
0.0~20240729.0-4
fixed
sid
0.0~20240729.0-4
fixed
trixie
0.0~20240729.0-4
fixed
Common Weakness Enumeration
References
https://github.com/google/gvisor/commit/586c38d70081b13b2ed494cef48e99b93956843e