CVE-2025-2713
Published: 28 March 2025
Summary
CVE-2025-2713 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Google Gvisor. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-2713 is a local privilege escalation vulnerability in the runsc component of Google gVisor, a user-space kernel for running containers securely. The flaw stems from incorrect handling of file access permissions, where the process initially executes with root-like permissions until the first fork, enabling unprivileged users to access restricted files. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-266 (Incorrect Privilege Assignment for Critical Resource).
A local attacker with low privileges, such as an unprivileged user on the host system, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to read, modify, or disrupt restricted files, resulting in high impacts on confidentiality, integrity, and availability—effectively escalating privileges to root-like access within the gVisor environment.
Mitigation is addressed in a patch committed to the gVisor repository at https://github.com/google/gvisor/commit/586c38d70081b13b2ed494cef48e99b93956843e, which security practitioners should review and apply to affected runsc deployments to correct the permission handling logic.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8644
Vulnerability details
Google gVisor's runsc component exhibited a local privilege escalation vulnerability due to incorrect handling of file access permissions, which allowed unprivileged users to access restricted files. This occurred because the process initially ran with root-like permissions until the first fork.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local privilege escalation vulnerability in gVisor runsc due to incorrect file permission handling before fork, directly enabling exploitation for elevated (root-like) access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces least privilege by ensuring the runsc process does not retain root-like permissions beyond necessity, directly preventing unprivileged access to restricted files.
Requires enforcement of approved access authorizations on files, countering the incorrect permission handling that enabled privilege escalation.
Mandates timely flaw remediation, such as applying the specific patch for runsc's permission logic, to eliminate the vulnerability.