Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-2055

NIXPKGS-2026-2055
published 6 hours ago
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations
Permalink CVE-2026-41579
3.3 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 6 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    20 packages
    • nym
    • crunch
    • git-brunch
    • y-cruncher
    • speedcrunch
    • ocaml-crunch
    • untrunc-anthwlock
    • ocamlPackages.crunch
    • gnomeExtensions.runcat
    • haskellPackages.git-brunch
    • ocamlPackages_latest.crunch
    • perlPackages.StringTruncate
    • python312Packages.truncnorm
    • python313Packages.truncnorm
    • python314Packages.truncnorm
    • perl5Packages.StringTruncate
    • haskellPackages.html-truncate
    • perl538Packages.StringTruncate
    • perl540Packages.StringTruncate
    • vscode-extensions.42crunch.vscode-openapi
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join string which allow an image with /dev as a symlink to trick runc into deleting files called ptmx on the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This issue is not exploitable under Docker, because Docker creates a top-level read-only layer that masks any malicious /dev symlink present in the container image — unlike some other Linux container tooling, whose higher-level runtimes built on runc remain exposed to exploitation via a malicious image. This issue has been fixed in versions 1.3.6, 1.4.3 and 1.5.0.

Affected products

runc
  • ==>= 1.4.0-rc.1, < 1.4.3
  • ==< 1.3.6
  • ==>= 1.5.0-rc.1, < 1.5.0-rc.3

Matching in nixpkgs

pkgs.runc

CLI tool for spawning and running containers according to the OCI specification

Ignored packages (20)

pkgs.crunch

Wordlist generator

  • nixos-unstable 3.6
    • nixpkgs-unstable 3.6
    • nixos-unstable-small 3.6
  • nixos-26.05 3.6
    • nixos-26.05-small 3.6
    • nixpkgs-26.05-darwin 3.6

pkgs.gnomeExtensions.runcat

The cat tells you the CPU usage by running speed

  • nixos-unstable 32
    • nixpkgs-unstable 32
    • nixos-unstable-small 32
  • nixos-26.05 32
    • nixos-26.05-small 32
    • nixpkgs-26.05-darwin 32

Package maintainers