Executive Summary

CVE-2026-30892 is a vulnerability in the open source OCI Container Runtime called crun, affecting versions 1.19 through 1.26. The issue lies in the incorrect parsing of the `-u` (or `--user`) option in the `crun exec` command. Specifically, when the user specifies the value "1" for this option, crun mistakenly interprets it as UID 0 and GID 0 (root user and group) instead of the intended UID 1 and GID 0. This causes the executed process to run with root privileges unexpectedly.

The root cause is a bug in the function `make_oci_process_user()` where the user structure is returned before setting the correct UID. This regression was introduced in a previous commit and fixed in version 1.27.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to local privilege escalation. When a process is executed with the `-u 1` option, it unexpectedly runs with root privileges (UID 0), granting it higher privileges than intended.

This means an attacker or user with local access could exploit this flaw to run processes with elevated privileges, potentially bypassing security restrictions and gaining unauthorized control over the container or host environment.

However, the CVSS v3.1 base score is 0.0, indicating low severity, with no impact on confidentiality, integrity, or availability, and the attack vector is local with low complexity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises from incorrect parsing of the -u (--user) option in the crun exec command, where specifying the user ID 1 is incorrectly interpreted as UID 0 (root). To detect this issue on your system, you can test the behavior of crun exec with the -u option by running a command that executes a process as user 1 and verifying the actual UID the process runs under.

For example, you can run a container or process using crun exec with the -u 1 option and check the effective user ID inside the container or process. If the process runs as root (UID 0) instead of UID 1, the vulnerability is present.

A suggested command to test this could be:

• crun exec -u 1 <container_or_process> id -u

If the output is 0 instead of 1, the vulnerability exists.

Additionally, comparing behavior with other runtimes like runc can help confirm the issue, as runc correctly executes the process as UID 1.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade crun to version 1.27 or later, where the parsing issue of the -u (--user) option has been fixed.

Until the upgrade is applied, avoid using the -u option with the value 1 in crun exec commands, as this triggers the vulnerability.

Alternatively, consider using other container runtimes such as runc that do not exhibit this behavior.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in crun causes processes to run with higher privileges than expected due to incorrect parsing of the user ID in the `crun exec -u` option. However, the CVSS score is 0.0, indicating no impact on confidentiality, integrity, or availability.

Given the lack of impact on confidentiality, integrity, or availability, and the local scope of the vulnerability, there is no direct indication from the provided information that this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0