CVE-2026-30892
Published: 26 March 2026
Summary
CVE-2026-30892 is a uncategorised-severity Improper Privilege Management (CWE-269) vulnerability in Crun Project Crun. Its CVSS base score is 0.0.
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-30892 affects crun, an open source OCI Container Runtime implemented in C. The vulnerability exists in versions 1.19 through 1.26, where the `crun exec` option `-u` (`--user`) incorrectly parses the value `1` as UID 0 and GID 0, rather than the intended UID 1 and GID 0. This parsing error causes the executed process to run with elevated privileges (root user) instead of the expected non-root UID.
A local attacker can exploit this issue with low complexity and no privileges or user interaction required, as indicated by the CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:U. By invoking `crun exec -u 1` on a vulnerable crun instance, the attacker causes a container process to execute as UID 0 (root) and GID 0, achieving higher privileges than anticipated and potentially enabling unauthorized actions within the container context.
The issue is patched in crun version 1.27. Security advisories and references, including the GitHub security advisory GHSA-4vg2-xjqj-7chj, the release notes for v1.27, and the fixing commit 1bd7f42446999b0e76bc3d575392e05c943b0b01, recommend upgrading to the patched version to mitigate the improper privilege management flaw (CWE-269). The base CVSS score is 0.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16026
Vulnerability details
crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should…
more
have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a local parsing flaw in crun exec --user that directly results in unintended root execution inside the container, matching Exploitation for Privilege Escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely flaw remediation by patching crun to version 1.27, directly eliminating the UID parsing error that causes unintended root privilege execution.
Enforces least privilege to ensure container processes execute only with the minimal privileges intended, mitigating elevation to root from the crun exec -u misparsing.
Mandates enforcement of approved access authorizations, countering the runtime's failure to apply the specified non-root UID and GID correctly.