Cyber Resilience

CVE-2026-30892

LowPublic PoCLPE

Published: 26 March 2026

Published
26 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score v3.1 0.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
EPSS Score 0.0002 4.3th percentile
Risk Priority 0 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30892 is a uncategorised-severity Improper Privilege Management (CWE-269) vulnerability in Crun Project Crun. Its CVSS base score is 0.0.

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30892 affects crun, an open source OCI Container Runtime implemented in C. The vulnerability exists in versions 1.19 through 1.26, where the `crun exec` option `-u` (`--user`) incorrectly parses the value `1` as UID 0 and GID 0, rather than the intended UID 1 and GID 0. This parsing error causes the executed process to run with elevated privileges (root user) instead of the expected non-root UID.

A local attacker can exploit this issue with low complexity and no privileges or user interaction required, as indicated by the CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:U. By invoking `crun exec -u 1` on a vulnerable crun instance, the attacker causes a container process to execute as UID 0 (root) and GID 0, achieving higher privileges than anticipated and potentially enabling unauthorized actions within the container context.

The issue is patched in crun version 1.27. Security advisories and references, including the GitHub security advisory GHSA-4vg2-xjqj-7chj, the release notes for v1.27, and the fixing commit 1bd7f42446999b0e76bc3d575392e05c943b0b01, recommend upgrading to the patched version to mitigate the improper privilege management flaw (CWE-269). The base CVSS score is 0.0.

EU & UK References

Vulnerability details

crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should…

more

have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a local parsing flaw in crun exec --user that directly results in unintended root execution inside the container, matching Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-44250Shared CWE-269
CVE-2024-53706Shared CWE-269
CVE-2025-66374Shared CWE-269
CVE-2026-28995Shared CWE-269
CVE-2025-43199Shared CWE-269
CVE-2025-36640Shared CWE-269
CVE-2025-8899Shared CWE-269
CVE-2024-47770Shared CWE-269
CVE-2025-24254Shared CWE-269
CVE-2025-27639Shared CWE-269

Affected Assets

crun project
crun
1.19 — 1.27

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation by patching crun to version 1.27, directly eliminating the UID parsing error that causes unintended root privilege execution.

prevent

Enforces least privilege to ensure container processes execute only with the minimal privileges intended, mitigating elevation to root from the crun exec -u misparsing.

prevent

Mandates enforcement of approved access authorizations, countering the runtime's failure to apply the specified non-root UID and GID correctly.

References