Cyber Posture

CVE-2025-2713

High

Published: 28 March 2025

Published
28 March 2025
Modified
26 September 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2713 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Google Gvisor. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match
prevent

Enforces least privilege by ensuring the runsc process does not retain root-like permissions beyond necessity, directly preventing unprivileged access to restricted files.

AC-3 Access Enforcement good match
prevent

Requires enforcement of approved access authorizations on files, countering the incorrect permission handling that enabled privilege escalation.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation, such as applying the specific patch for runsc's permission logic, to eliminate the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local privilege escalation vulnerability in gVisor runsc due to incorrect file permission handling before fork, directly enabling exploitation for elevated (root-like) access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Google gVisor's runsc component exhibited a local privilege escalation vulnerability due to incorrect handling of file access permissions, which allowed unprivileged users to access restricted files. This occurred because the process initially ran with root-like permissions until the first fork.

Deeper analysisAI

CVE-2025-2713 is a local privilege escalation vulnerability in the runsc component of Google gVisor, a user-space kernel for running containers securely. The flaw stems from incorrect handling of file access permissions, where the process initially executes with root-like permissions until the first fork, enabling unprivileged users to access restricted files. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-266 (Incorrect Privilege Assignment for Critical Resource).

A local attacker with low privileges, such as an unprivileged user on the host system, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to read, modify, or disrupt restricted files, resulting in high impacts on confidentiality, integrity, and availability—effectively escalating privileges to root-like access within the gVisor environment.

Mitigation is addressed in a patch committed to the gVisor repository at https://github.com/google/gvisor/commit/586c38d70081b13b2ed494cef48e99b93956843e, which security practitioners should review and apply to affected runsc deployments to correct the permission handling logic.

Details

CWE(s)
CWE-266NVD-CWE-noinfo

Affected Products

google
gvisor
≤ 20240325.0

CVEs Like This One

CVE-2025-48574Same vendor: Google
CVE-2025-36920Same vendor: Google
CVE-2026-0011Same vendor: Google
CVE-2026-0020Same vendor: Google
CVE-2026-0117Same vendor: Google
CVE-2024-53833Same vendor: Google
CVE-2026-0010Same vendor: Google
CVE-2026-0037Same vendor: Google
CVE-2025-48577Same vendor: Google
CVE-2024-49742Same vendor: Google

References