Cyber Resilience

CVE-2025-2713

Medium

Published: 28 March 2025

Published
28 March 2025
Modified
26 September 2025
KEV Added
Patch
CVSS Score v4 6.8 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2713 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Google Gvisor. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-2713 is a local privilege escalation vulnerability in the runsc component of Google gVisor, a user-space kernel for running containers securely. The flaw stems from incorrect handling of file access permissions, where the process initially executes with root-like permissions until the first fork, enabling unprivileged users to access restricted files. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-266 (Incorrect Privilege Assignment for Critical Resource).

A local attacker with low privileges, such as an unprivileged user on the host system, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to read, modify, or disrupt restricted files, resulting in high impacts on confidentiality, integrity, and availability—effectively escalating privileges to root-like access within the gVisor environment.

Mitigation is addressed in a patch committed to the gVisor repository at https://github.com/google/gvisor/commit/586c38d70081b13b2ed494cef48e99b93956843e, which security practitioners should review and apply to affected runsc deployments to correct the permission handling logic.

EU & UK References

Vulnerability details

Google gVisor's runsc component exhibited a local privilege escalation vulnerability due to incorrect handling of file access permissions, which allowed unprivileged users to access restricted files. This occurred because the process initially ran with root-like permissions until the first fork.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local privilege escalation vulnerability in gVisor runsc due to incorrect file permission handling before fork, directly enabling exploitation for elevated (root-like) access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-56192Same vendor: Google
CVE-2025-48602Same vendor: Google
CVE-2026-0124Same vendor: Google
CVE-2024-49738Same vendor: Google
CVE-2024-40651Same vendor: Google
CVE-2026-0023Same vendor: Google
CVE-2025-48574Same vendor: Google
CVE-2025-48647Same vendor: Google
CVE-2025-48646Same vendor: Google
CVE-2026-0026Same vendor: Google

Affected Assets

google
gvisor
≤ 20240325.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege by ensuring the runsc process does not retain root-like permissions beyond necessity, directly preventing unprivileged access to restricted files.

prevent

Requires enforcement of approved access authorizations on files, countering the incorrect permission handling that enabled privilege escalation.

prevent

Mandates timely flaw remediation, such as applying the specific patch for runsc's permission logic, to eliminate the vulnerability.

References