cvelistv5 - cve-2025-24965

CVE-2025-24965 (GCVE-0-2025-24965)

Vulnerability from cvelistv5 – Published: 2025-02-19 16:46 – Updated: 2025-02-19 16:56

Summary

crun is an open source OCI Container Runtime fully written in C. In affected versions A malicious container image could trick the krun handler into escaping the root filesystem, allowing file creation or modification on the host. No special permissions are needed, only the ability for the current user to write to the target file. The problem is fixed in crun 1.20 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity ?

8.5 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	containers	crun	Affected: < 1.20

FKIE_CVE-2025-24965

Vulnerability from fkie_nvd - Published: 2025-02-19 17:15 - Updated: 2025-02-19 17:15

Severity ?

8.5 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/containers/crun/commit/0aec82c2b686f0b1793deed43b46524fe2e8b5a7
	security-advisories@github.com	https://github.com/containers/crun/releases/tag/1.20
	security-advisories@github.com	https://github.com/containers/crun/security/advisories/GHSA-f42g-r5jj-qh4j

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "crun is an open source OCI Container Runtime fully written in C. In affected versions A malicious container image could trick the krun handler into escaping the root filesystem, allowing file creation or modification on the host. No special permissions are needed, only the ability for the current user to write to the target file. The problem is fixed in crun 1.20 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "Crun es un tiempo de ejecuci\u00f3n de contenedores OCI de c\u00f3digo abierto completamente escrito en C. En versiones afectadas, una imagen de contenedor malicioso podr\u00eda enga\u00f1ar al controlador Krun para que escape del sistema de archivos ra\u00edz, permitiendo la creaci\u00f3n o modificaci\u00f3n de archivos en el host. No se necesitan permisos especiales, solo la capacidad del usuario actual de escribir en el archivo de destino. El problema se soluciona en Crun 1.20 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2025-24965",
  "lastModified": "2025-02-19T17:15:15.510",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.5,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-19T17:15:15.510",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/containers/crun/commit/0aec82c2b686f0b1793deed43b46524fe2e8b5a7"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/containers/crun/releases/tag/1.20"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/containers/crun/security/advisories/GHSA-f42g-r5jj-qh4j"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

OPENSUSE-SU-2025:14763-1

Vulnerability from csaf_opensuse - Published: 2025-02-11 00:00 - Updated: 2025-02-11 00:00

Summary

crun-1.20-1.1 on GA media

Notes

Title of the patch

crun-1.20-1.1 on GA media

Description of the patch

These are all security issues fixed in the crun-1.20-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-14763

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "crun-1.20-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the crun-1.20-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-14763",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14763-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:14763-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DLK577HEHAUL3SZVLK3XGMIGJPDZKM4E/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:14763-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DLK577HEHAUL3SZVLK3XGMIGJPDZKM4E/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-24965 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-24965/"
      }
    ],
    "title": "crun-1.20-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-02-11T00:00:00Z",
      "generator": {
        "date": "2025-02-11T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:14763-1",
      "initial_release_date": "2025-02-11T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-02-11T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crun-1.20-1.1.aarch64",
                "product": {
                  "name": "crun-1.20-1.1.aarch64",
                  "product_id": "crun-1.20-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crun-1.20-1.1.ppc64le",
                "product": {
                  "name": "crun-1.20-1.1.ppc64le",
                  "product_id": "crun-1.20-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crun-1.20-1.1.s390x",
                "product": {
                  "name": "crun-1.20-1.1.s390x",
                  "product_id": "crun-1.20-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crun-1.20-1.1.x86_64",
                "product": {
                  "name": "crun-1.20-1.1.x86_64",
                  "product_id": "crun-1.20-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:crun-1.20-1.1.aarch64"
        },
        "product_reference": "crun-1.20-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:crun-1.20-1.1.ppc64le"
        },
        "product_reference": "crun-1.20-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:crun-1.20-1.1.s390x"
        },
        "product_reference": "crun-1.20-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:crun-1.20-1.1.x86_64"
        },
        "product_reference": "crun-1.20-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-24965",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-24965"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "crun is an open source OCI Container Runtime fully written in C. In affected versions A malicious container image could trick the krun handler into escaping the root filesystem, allowing file creation or modification on the host. No special permissions are needed, only the ability for the current user to write to the target file. The problem is fixed in crun 1.20 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:crun-1.20-1.1.aarch64",
          "openSUSE Tumbleweed:crun-1.20-1.1.ppc64le",
          "openSUSE Tumbleweed:crun-1.20-1.1.s390x",
          "openSUSE Tumbleweed:crun-1.20-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-24965",
          "url": "https://www.suse.com/security/cve/CVE-2025-24965"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1237421 for CVE-2025-24965",
          "url": "https://bugzilla.suse.com/1237421"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:crun-1.20-1.1.aarch64",
            "openSUSE Tumbleweed:crun-1.20-1.1.ppc64le",
            "openSUSE Tumbleweed:crun-1.20-1.1.s390x",
            "openSUSE Tumbleweed:crun-1.20-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:crun-1.20-1.1.aarch64",
            "openSUSE Tumbleweed:crun-1.20-1.1.ppc64le",
            "openSUSE Tumbleweed:crun-1.20-1.1.s390x",
            "openSUSE Tumbleweed:crun-1.20-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-11T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-24965"
    }
  ]
}

OPENSUSE-SU-2025:0074-1

Vulnerability from csaf_opensuse - Published: 2025-02-24 15:01 - Updated: 2025-02-24 15:01

Summary

Security update for crun

Notes

Title of the patch

Security update for crun

Description of the patch

This update for crun fixes the following issues: Update to 1.20: * krun: fix CVE-2025-24965. The .krun_config.json file could be created outside of the container rootfs. (bsc#1237421) * cgroup: reverted the removal of tun/tap from the default allow list, this was done in crun-1.5. The tun/tap device is now added by default again. * CRIU: do not set network_lock unless explicitly specified. * status: disallow container names containing slashes in their name. * linux: Improved error message when failing to set the net.ipv4.ping_group_range sysctl. * scheduler: Ignore ENOSYS errors when resetting the CPU affinity mask. * linux: return a better error message when pidfd_open fails with EINVAL. * cgroup: display the absolute path to cgroup.controllers when a controller is unavailable. * exec: always call setsid. Now processes created through exec get the correct process group id. Update to 1.19.1: * linux: fix a hang if there are no reads from the tty. Use non blocking sockets to read and write from the tty so that the 'crun exec' process doesn't hang when the terminal is not consuming any data. * linux: remove the workaround needed to mount a cgroup on top of another cgroup mount. The workaround had the disadvantage to temporarily leak a mount on the host. The alternative that is currently used is to mount a temporary tmpfs between the twoo cgroup mounts. Update to 1.19: * wasm: add new handler wamr. * criu: allow passing network lock method to libcriu. * linux: honor exec cpu affinity mask. * build: fix build with musl libc. * crun: use mount API to self-clone. * cgroup, systemd: do not override devices on update. If the 'update' request has no device block configured, do not reset the previously configuration. * cgroup: handle case where cgroup v1 freezer is disabled. On systems without the freezer controller, containers were mistakenly reported as paused. * cgroup: do not stop process on exec. The cpu mask is configured on the systemd scope, the previous workaround to stop the container until the cgroup is fully configured is no longer needed. - Update to crun v1.18.2 Upstream changelog is available from <https://github.com/containers/crun/releases/tag/1.18.2> - Update to crun v1.18. Upstream changelog is available from <https://github.com/containers/crun/releases/tag/1.18> Update to 1.17: * Add --log-level option. It accepts error, warning and error. * Add debug logs for container creation. * Fix double-free in crun exec code that could lead to a crash. * Allow passing an ID to the journald log driver. * Report 'executable not found' errors after tty has been setup. * Do not treat EPIPE from hooks as an error. * Make sure DefaultDependencies is correctly set in the systemd scope. * Improve the error message when the container process is not found. * Improve error handling for the mnt namespace restoration. * Fix error handling for getpwuid_r, recvfrom and libcrun_kill_linux. * Fix handling of device paths with trailing slashes. - add url for keyring - enable leap by disabling wasmedge (not packaged for leap) Upstream release 1.16.1: - fix a regression introduced by 1.16 where using 'rshared' rootfs mount propagation and the rootfs itself is a mountpoint. - inherit user from original process on exec, if not overridden. Update to 1.16: - build: fix build for s390x. - linux: fix mount of special files with rro. Open the mount target with O_PATH to prevent open(2) failures with special files like FIFOs or UNIX sockets. - Fix sd-bus error handling for cpu quota and period props update. - container: use relative path for rootfs if possible. If the rootfs cannot be resolved and it is below the current working directory, only use its relative path. - wasmedge: access container environment variables for the WasmEdge configuration. - cgroup, systemd: use MemoryMax instead of MemoryLimit. Fixes a warning for using an old configuration name. - cgroup, systemd: improve checks for sd_bus_message_append errors New upstream release 1.15: * fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY. * linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run. * release: build s390x binaries using musl libc. * features: add support for potentiallyUnsafeConfigAnnotations. * handlers: add option to load wasi-nn plugin for wasmedge. * linux: fix 'harden chdir()' security measure. The previous check was not correct. * crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits. New upstream release 1.14.4: - linux: fix mount of file with recursive flags. Do not assume it is a directory, but check the source type. - follow up for 1.14.2. Drop the version check for each command. - crun: drop check for OCI version. A recent bump in the OCI runtime specs caused crun to fail with every config file. Just drop the check since it doesn't add any value. - there was recently a security vulnerability (CVE-2024-21626) in runc that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is outside the container rootfs. While crun is not affected directly, harden chdir by validating that we are still inside the container rootfs. - container: attempt to close all the files before execv(2). if we leak any fd, it prevents execv to gain access to files outside the container rootfs through /proc/self/fd/$fd. - fix a regression caused by 1.14 when installing the ebpf filter on a kernel older than 5.11. - cgroup, systemd: fix segfault if the resources block is not specified. Update to 1.14: * build: drop dependency on libgcrypt. Use blake3 to compute the cache key. * cpuset: don't clobber parent cgroup value when writing the cpuset value. * linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process, allowing file permissions to be set as specified in the OCI configuration. * ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11. - update to 1.13: * src: use O_CLOEXEC for all open/openat calls * cgroup v1: use 'max' when pids limit < 0. * improve error message when idmap mount fails because the underlying file system has no support for it. * libcrun: fix compilation when building without libseccomp and libcap. * fix relative idmapped mount when using the custom annotation. - New upstream release 1.12: * add new WebAssembly handler: spin. * systemd: fallback to system bus if session bus is not available. * configure the cpu rt and cpuset controllers before joining them to avoid running temporarily the workload on the wrong cpus. * preconfigure the cpuset with required resources instead of using the parent's set. This prevents needless churn in the kernel as it tracks which CPUs have load balancing disabled. * try attr/<lsm>/* before the attr/* files. Writes to the attr/* files may fail if apparmor is not the first 'major' LSM in the list of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor). - New upstream release 1.11.2: * fix a regression caused by 1.11.1 where the process crashes if there are no CPU limits configured on cgroup v1. (boo#1217590) * fix error code check for the ptsname_r function. - update to 1.11.1: * force a remount operation with bind mounts from the host to correctly set all the mount flags. * cgroup: honor cpu burst. * systemd: set CPUQuota and CPUPeriod on the scope cgroup. * linux: append tmpfs mode if missing for mounts. This is the same behavior of runc. * cgroup: always use the user session for rootless. * support for Intel Resource Director Technology (RDT). * new mount option 'copy-symlink'. When provided for a mount, if the source is a symlink, then it is copied in the container instead of attempting a mount. * linux: open mounts before setgroups if in a userns. This solves a problem where a directory that was previously accessible to the user, become inaccessible after setgroups causing the bind mount to fail. - New upstream release 1.9.2: * cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels do that automatically, but new kernels remember the affinity that was set before the cgroup move, so we need to reset it in order to honor the cpuset configuration. - New upstream release 1.9.1: * utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6 that always refuses chmod on a symlink. * build: fix build on CentOS 7 * linux: add new fallback when mount fails with EBUSY, so that there is not an additional tmpfs mount if not needed. * utils: improve error message when a directory cannot be created as a component of the path is already existing as a non directory. - Only build with wasmedge on x86_64 & aarch64 - Add crun-wasm symlink for platform 'wasi/wasm' - Update to 1.9: * linux: support arbitrary idmapped mounts. * linux: add support for 'ridmap' mount option to support recursive idmapped mounts. * crun delete: call systemd's reset-failed. * linux: fix check for oom_score_adj. * features: Support mountExtensions. * linux: correctly handle unknown signal string when it doesn't start with a digit. * linux: do not attempt to join again already joined namespace. * wasmer: use latest wasix API. - Enable WasmEdge support to run Wasm compat containers. * linux: idmapped mounts expect the same configuration as mapping. It is a breaking change, but the behavior was aligned * cgroup: always delete the cgroup on errors. exec: fix double free when using --apparmor and

Patchnames

openSUSE-2025-74

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for crun",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for crun fixes the following issues:\n\nUpdate to 1.20:\n\n  * krun: fix CVE-2025-24965. The .krun_config.json file could be created outside of the container rootfs. (bsc#1237421)\n  * cgroup: reverted the removal of tun/tap from the default allow list, this was done in crun-1.5. The tun/tap device is now added by default again.\n  * CRIU: do not set network_lock unless explicitly specified.\n  * status: disallow container names containing slashes in their name.\n  * linux: Improved error message when failing to set the net.ipv4.ping_group_range sysctl.\n  * scheduler: Ignore ENOSYS errors when resetting the CPU affinity mask.\n  * linux: return a better error message when pidfd_open fails with EINVAL.\n  * cgroup: display the absolute path to cgroup.controllers when a controller is unavailable.\n  * exec: always call setsid. Now processes created through exec get the correct process group id.\n\nUpdate to 1.19.1:\n\n  * linux: fix a hang if there are no reads from the tty. Use non blocking\n    sockets to read and write from the tty so that the \u0027crun exec\u0027 process\n    doesn\u0027t hang when the terminal is not consuming any data.\n  * linux: remove the workaround needed to mount a cgroup on top of\n    another cgroup mount. The workaround had the disadvantage to temporarily\n    leak a mount on the host. The alternative that is currently used is\n    to mount a temporary tmpfs between the twoo cgroup mounts.\n\nUpdate to 1.19:\n  * wasm: add new handler wamr.\n  * criu: allow passing network lock method to libcriu.\n  * linux: honor exec cpu affinity mask.\n  * build: fix build with musl libc.\n  * crun: use mount API to self-clone.\n  * cgroup, systemd: do not override devices on update. If the \u0027update\u0027 request has no device block configured, do not reset the previously configuration.\n  * cgroup: handle case where cgroup v1 freezer is disabled. On systems without the freezer controller, containers were mistakenly reported as paused.\n  * cgroup: do not stop process on exec. The cpu mask is configured on the systemd scope, the previous workaround to stop the container until the cgroup is fully configured is no longer needed.\n\n- Update to crun v1.18.2 Upstream changelog is available from\n  \u003chttps://github.com/containers/crun/releases/tag/1.18.2\u003e\n\n- Update to crun v1.18. Upstream changelog is available from\n  \u003chttps://github.com/containers/crun/releases/tag/1.18\u003e\n\nUpdate to 1.17:\n\n  * Add --log-level option. It accepts error, warning and error.\n  * Add debug logs for container creation.\n  * Fix double-free in crun exec code that could lead to a crash.\n  * Allow passing an ID to the journald log driver.\n  * Report \u0027executable not found\u0027 errors after tty has been setup.\n  * Do not treat EPIPE from hooks as an error.\n  * Make sure DefaultDependencies is correctly set in the systemd scope.\n  * Improve the error message when the container process is not found.\n  * Improve error handling for the mnt namespace restoration.\n  * Fix error handling for getpwuid_r, recvfrom and libcrun_kill_linux.\n  * Fix handling of device paths with trailing slashes.\n- add url for keyring\n- enable leap by disabling wasmedge (not packaged for leap)\n\nUpstream release 1.16.1:\n \n- fix a regression introduced by 1.16 where using \u0027rshared\u0027 rootfs mount propagation and the rootfs itself is a mountpoint.\n- inherit user from original process on exec, if not overridden.\n\nUpdate to 1.16:\n\n- build: fix build for s390x.\n- linux: fix mount of special files with rro.  Open the mount target with O_PATH to prevent open(2) failures with special files like FIFOs or UNIX sockets.\n- Fix sd-bus error handling for cpu quota and period props update.\n- container: use relative path for rootfs if possible.  If the rootfs cannot be resolved and it is below the current working directory, only use its relative path.\n- wasmedge: access container environment variables for the WasmEdge configuration.\n- cgroup, systemd: use MemoryMax instead of MemoryLimit.  Fixes a warning for using an old configuration name.\n- cgroup, systemd: improve checks for sd_bus_message_append errors\n\nNew upstream release 1.15:\n\n  * fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY.\n  * linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run.\n  * release: build s390x binaries using musl libc.\n  * features: add support for potentiallyUnsafeConfigAnnotations.\n  * handlers: add option to load wasi-nn plugin for wasmedge.\n  * linux: fix \u0027harden chdir()\u0027 security measure. The previous check was not correct.\n  * crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits.\n\nNew upstream release 1.14.4:\n\n- linux: fix mount of file with recursive flags.  Do not assume it is\n  a directory, but check the source type.\n\n- follow up for 1.14.2.  Drop the version check for each command.\n\n- crun: drop check for OCI version.  A recent bump in the OCI runtime\n  specs caused crun to fail with every config file.  Just drop the\n  check since it doesn\u0027t add any value.\n\n- there was recently a security vulnerability (CVE-2024-21626) in runc\n  that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is\n  outside the container rootfs.  While crun is not affected directly,\n  harden chdir by validating that we are still inside the container\n  rootfs.\n- container: attempt to close all the files before execv(2).\n  if we leak any fd, it prevents execv to gain access to files outside\n  the container rootfs through /proc/self/fd/$fd.\n- fix a regression caused by 1.14 when installing the ebpf filter on a\n  kernel older than 5.11.\n- cgroup, systemd: fix segfault if the resources block is not specified.\n\nUpdate to 1.14:\n\n  * build: drop dependency on libgcrypt. Use blake3 to compute the cache key.\n  * cpuset: don\u0027t clobber parent cgroup value when writing the cpuset value.\n  * linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process,\n    allowing file permissions to be set as specified in the OCI configuration.\n  * ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11.\n- update to 1.13:\n  * src: use O_CLOEXEC for all open/openat calls\n  * cgroup v1: use \u0027max\u0027 when pids limit \u003c 0.\n  * improve error message when idmap mount fails because the underlying file system has no support for it.\n  * libcrun: fix compilation when building without libseccomp and libcap.\n  * fix relative idmapped mount when using the custom annotation.\n\n- New upstream release 1.12:\n  * add new WebAssembly handler: spin.\n  * systemd: fallback to system bus if session bus is not available.\n  * configure the cpu rt and cpuset controllers before joining them to\n    avoid running temporarily the workload on the wrong cpus.\n  * preconfigure the cpuset with required resources instead of using the\n    parent\u0027s set.  This prevents needless churn in the kernel as it\n    tracks which CPUs have load balancing disabled.\n  * try attr/\u003clsm\u003e/* before the attr/* files.  Writes to the attr/*\n    files may fail if apparmor is not the first \u0027major\u0027 LSM in the list\n    of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor).\n- New upstream release 1.11.2:\n  * fix a regression caused by 1.11.1 where the process crashes if there\n    are no CPU limits configured on cgroup v1. (boo#1217590)\n  * fix error code check for the ptsname_r function.\n\n- update to 1.11.1:\n  * force a remount operation with bind mounts from the host to\n    correctly set all the mount flags.\n  * cgroup: honor cpu burst.\n  * systemd: set CPUQuota and CPUPeriod on the scope cgroup.\n  * linux: append tmpfs mode if missing for mounts.  This is the\n    same behavior of runc.\n  * cgroup: always use the user session for rootless.\n  * support for Intel Resource Director Technology (RDT).\n  * new mount option \u0027copy-symlink\u0027.  When provided for a mount,\n    if the source is a symlink, then it is copied in the container\n    instead of attempting a mount.\n  * linux: open mounts before setgroups if in a userns.  This\n    solves a problem where a directory that was previously\n    accessible to the user, become inaccessible after setgroups\n    causing the bind mount to fail.\n\n- New upstream release 1.9.2:\n  * cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels\n    do that automatically, but new kernels remember the affinity that was set\n    before the cgroup move, so we need to reset it in order to honor the cpuset\n    configuration.\n- New upstream release 1.9.1:\n  * utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6\n    that always refuses chmod on a symlink.\n  * build: fix build on CentOS 7\n  * linux: add new fallback when mount fails with EBUSY, so that there is not an\n    additional tmpfs mount if not needed.\n  * utils: improve error message when a directory cannot be created as a\n    component of the path is already existing as a non directory.\n- Only build with wasmedge on x86_64 \u0026 aarch64\n\n- Add crun-wasm symlink for platform \u0027wasi/wasm\u0027\n\n- Update to 1.9:\n  * linux: support arbitrary idmapped mounts.\n  * linux: add support for \u0027ridmap\u0027 mount option to support recursive\n    idmapped mounts.\n  * crun delete: call systemd\u0027s reset-failed.\n  * linux: fix check for oom_score_adj.\n  * features: Support mountExtensions.\n  * linux: correctly handle unknown signal string when it doesn\u0027t start with\n    a digit.\n  * linux: do not attempt to join again already joined namespace.\n  * wasmer: use latest wasix API.\n\n- Enable WasmEdge support to run Wasm compat containers.\n\n  * linux: idmapped mounts expect the same configuration as\n    mapping. It is a breaking change, but the behavior was aligned\n  * cgroup: always delete the cgroup on errors.\n   exec: fix double free when using --apparmor and",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2025-74",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_0074-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:0074-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MFFSKUX256PEK52RLQGT33MIN3ZQO27D/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:0074-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MFFSKUX256PEK52RLQGT33MIN3ZQO27D/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1217590",
        "url": "https://bugzilla.suse.com/1217590"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1218894",
        "url": "https://bugzilla.suse.com/1218894"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1237421",
        "url": "https://bugzilla.suse.com/1237421"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-21626 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-21626/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-24965 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-24965/"
      }
    ],
    "title": "Security update for crun",
    "tracking": {
      "current_release_date": "2025-02-24T15:01:42Z",
      "generator": {
        "date": "2025-02-24T15:01:42Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:0074-1",
      "initial_release_date": "2025-02-24T15:01:42Z",
      "revision_history": [
        {
          "date": "2025-02-24T15:01:42Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crun-1.20-bp156.2.3.1.aarch64",
                "product": {
                  "name": "crun-1.20-bp156.2.3.1.aarch64",
                  "product_id": "crun-1.20-bp156.2.3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crun-1.20-bp156.2.3.1.i586",
                "product": {
                  "name": "crun-1.20-bp156.2.3.1.i586",
                  "product_id": "crun-1.20-bp156.2.3.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crun-1.20-bp156.2.3.1.ppc64le",
                "product": {
                  "name": "crun-1.20-bp156.2.3.1.ppc64le",
                  "product_id": "crun-1.20-bp156.2.3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crun-1.20-bp156.2.3.1.s390x",
                "product": {
                  "name": "crun-1.20-bp156.2.3.1.s390x",
                  "product_id": "crun-1.20-bp156.2.3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crun-1.20-bp156.2.3.1.x86_64",
                "product": {
                  "name": "crun-1.20-bp156.2.3.1.x86_64",
                  "product_id": "crun-1.20-bp156.2.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP6",
                "product": {
                  "name": "SUSE Package Hub 15 SP6",
                  "product_id": "SUSE Package Hub 15 SP6"
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-bp156.2.3.1.aarch64 as component of SUSE Package Hub 15 SP6",
          "product_id": "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.aarch64"
        },
        "product_reference": "crun-1.20-bp156.2.3.1.aarch64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-bp156.2.3.1.i586 as component of SUSE Package Hub 15 SP6",
          "product_id": "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.i586"
        },
        "product_reference": "crun-1.20-bp156.2.3.1.i586",
        "relates_to_product_reference": "SUSE Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-bp156.2.3.1.ppc64le as component of SUSE Package Hub 15 SP6",
          "product_id": "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.ppc64le"
        },
        "product_reference": "crun-1.20-bp156.2.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-bp156.2.3.1.s390x as component of SUSE Package Hub 15 SP6",
          "product_id": "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.s390x"
        },
        "product_reference": "crun-1.20-bp156.2.3.1.s390x",
        "relates_to_product_reference": "SUSE Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-bp156.2.3.1.x86_64 as component of SUSE Package Hub 15 SP6",
          "product_id": "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.x86_64"
        },
        "product_reference": "crun-1.20-bp156.2.3.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-bp156.2.3.1.aarch64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.aarch64"
        },
        "product_reference": "crun-1.20-bp156.2.3.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-bp156.2.3.1.i586 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.i586"
        },
        "product_reference": "crun-1.20-bp156.2.3.1.i586",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-bp156.2.3.1.ppc64le as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.ppc64le"
        },
        "product_reference": "crun-1.20-bp156.2.3.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-bp156.2.3.1.s390x as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.s390x"
        },
        "product_reference": "crun-1.20-bp156.2.3.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crun-1.20-bp156.2.3.1.x86_64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.x86_64"
        },
        "product_reference": "crun-1.20-bp156.2.3.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-21626",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-21626"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem (\"attack 2\"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run (\"attack 1\"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes (\"attack 3a\" and \"attack 3b\"). runc 1.1.12 includes patches for this issue. ",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.aarch64",
          "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.i586",
          "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.ppc64le",
          "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.s390x",
          "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.x86_64",
          "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.aarch64",
          "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.i586",
          "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.ppc64le",
          "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.s390x",
          "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-21626",
          "url": "https://www.suse.com/security/cve/CVE-2024-21626"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1218894 for CVE-2024-21626",
          "url": "https://bugzilla.suse.com/1218894"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.aarch64",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.i586",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.ppc64le",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.s390x",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.x86_64",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.aarch64",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.i586",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.ppc64le",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.s390x",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.aarch64",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.i586",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.ppc64le",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.s390x",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.x86_64",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.aarch64",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.i586",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.ppc64le",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.s390x",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-24T15:01:42Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-21626"
    },
    {
      "cve": "CVE-2025-24965",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-24965"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "crun is an open source OCI Container Runtime fully written in C. In affected versions A malicious container image could trick the krun handler into escaping the root filesystem, allowing file creation or modification on the host. No special permissions are needed, only the ability for the current user to write to the target file. The problem is fixed in crun 1.20 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.aarch64",
          "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.i586",
          "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.ppc64le",
          "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.s390x",
          "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.x86_64",
          "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.aarch64",
          "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.i586",
          "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.ppc64le",
          "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.s390x",
          "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-24965",
          "url": "https://www.suse.com/security/cve/CVE-2025-24965"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1237421 for CVE-2025-24965",
          "url": "https://bugzilla.suse.com/1237421"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.aarch64",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.i586",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.ppc64le",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.s390x",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.x86_64",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.aarch64",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.i586",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.ppc64le",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.s390x",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.aarch64",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.i586",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.ppc64le",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.s390x",
            "SUSE Package Hub 15 SP6:crun-1.20-bp156.2.3.1.x86_64",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.aarch64",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.i586",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.ppc64le",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.s390x",
            "openSUSE Leap 15.6:crun-1.20-bp156.2.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-24T15:01:42Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-24965"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-24965 (GCVE-0-2025-24965)

FKIE_CVE-2025-24965

OPENSUSE-SU-2025:14763-1

OPENSUSE-SU-2025:0074-1

Tags

Sightings

Nomenclature