CVE-2025-57854
Received Received - Intake
Container Privilege Escalation in OpenShift Update Service via /etc/passwd

Publication date: 2026-04-08

Last updated on: 2026-05-04

Assigner: Red Hat, Inc.

Description
A container privilege escalation flaw was found in certain OpenShift Update Service (OSUS) images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-57854
EUVD
EUVD-2025-209304
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat openshift_update_service *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-57854 is a container privilege escalation vulnerability found in certain OpenShift Update Service (OSUS) images. The issue arises because the /etc/passwd file is created with group-writable permissions during the build process. This means that if an attacker can run commands inside the affected container, even as a non-root user, and is part of the root group, they can modify the /etc/passwd file.

By modifying this file, the attacker can add a new user with any user ID they choose, including UID 0, which is the root user. This effectively grants the attacker full root privileges within the container.

Impact Analysis

This vulnerability can allow an attacker who has limited access inside a container to escalate their privileges to full root access within that container. With root privileges, the attacker can perform any action inside the container, potentially compromising the container's security and any applications or data it handles.

Such privilege escalation can lead to unauthorized access, data manipulation, or disruption of services running inside the container.

Detection Guidance

To detect this vulnerability on your system, you should check the permissions of the /etc/passwd file inside the affected containers. Specifically, verify if the /etc/passwd file has group-writable permissions, which is the root cause of the issue.

  • Run the command: ls -l /etc/passwd

If the output shows group-writable permissions (e.g., -rw-rw-r--), the container is vulnerable.

Additionally, check if any users inside the container belong to the root group, as this membership allows exploitation of the vulnerability.

  • Run the command: groups <username>
Mitigation Strategies

Immediate mitigation steps include ensuring that the /etc/passwd file inside the affected containers is not group-writable.

  • Modify the permissions of /etc/passwd to remove group write access by running: chmod 644 /etc/passwd

Also, restrict membership of non-root users in the root group within the container to prevent unauthorized modification of /etc/passwd.

Finally, update or rebuild the affected OpenShift Update Service (OSUS) images with corrected file permissions during build time to prevent recurrence.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57854. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart