CVE-2025-57849
Container Privilege Escalation via Group-Writable /etc/passwd in Fuse Images
Publication date: 2026-03-13
Last updated on: 2026-03-13
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | fuse | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-57849 is a container privilege escalation vulnerability found in certain Fuse images. The issue arises because the /etc/passwd file is created with group-writable permissions during the build process. This means that users who are part of the root group inside the container can modify this file.
An attacker who can execute commands inside the affected container, even if they are not root, can exploit this flaw by modifying the /etc/passwd file. They can add a new user with any user ID they choose, including UID 0, which is the root user ID. This effectively grants the attacker full root privileges within the container.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with limited privileges inside a container to escalate their privileges to root level. This means they can gain full control over the container environment.
With root privileges, the attacker can perform any action within the container, such as accessing sensitive data, modifying system files, installing malicious software, or disrupting services running inside the container.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the permissions of the /etc/passwd file inside the affected containers. Specifically, you should verify if the /etc/passwd file has group-writable permissions, which is the root cause of this issue.
- Run the command: ls -l /etc/passwd
- Check if the group permissions include write access (e.g., -rw-rw-r--).
Additionally, verify if any non-root users inside the container are members of the root group, as this membership enables exploitation of the vulnerability.
- Run the command: groups <username>
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include correcting the permissions of the /etc/passwd file inside the affected containers to remove group-writable access.
- Change the permissions of /etc/passwd to be non-group-writable using: chmod 644 /etc/passwd
Also, review and restrict group memberships to ensure that non-root users are not members of the root group within the container.
Consider rebuilding the container images with corrected file permissions during build time to prevent recurrence of this issue.