CVE-2022-29162 [Medium] | Security Vulnerability in Runc

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.10%	0.39%	+0.29%
2	2025-03-30	0.22%	0.10%	-0.12%
3	2025-03-29	—	0.22%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.10%

0.39%

+0.29%

2025-03-30

0.22%

0.10%

-0.12%

2025-03-29

—

0.22%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.9	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:L) Might cause slowdowns, glitches, or partial disruption—not a full brick.	2.5	3.4	[email protected]
7.8	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	5.9	[email protected]
4.6	2.0	MEDIUM	`AV:L/AC:L/Au:N/C:P/I:P/A:P` Click to expand Access vector (AV:L) Requires local access to the target system. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	3.9	6.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.9

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L): Might cause slowdowns, glitches, or partial disruption—not a full brick.

2.5

3.4

[email protected]

7.8

3.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

5.9

[email protected]

4.6

2.0

MEDIUM

AV:L/AC:L/Au:N/C:P/I:P/A:P Click to expand

Access vector (AV:L): Requires local access to the target system.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

3.9

6.4

[email protected]

OS Trackers for CVE-2022-29162

vendor	priority	summary	link
`alpine`	high	CVE-2022-29162: 1 source package rows (runc); 18 state rows across 7 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 7, open 11.	https://security.alpinelinux.org/vuln/CVE-2022-29162
`debian`	not yet assigned	CVE-2022-29162 not yet assigned priority: Debian including 1 source packages (runc), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2022-29162
`gentoo`	normal	CVE-2022-29162: 1 GLSA(s) (202408-25), 1 atom(s) (app-containers/runc); latest impact normal.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2022-29162
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2022-29162
`suse`	medium	CVE-2022-29162 severity moderate: SUSE including 324 source package names (2.0.2-4.2.20:runc-1.1.3-150000.30.1, aardvark-dns-1.1.0-4.module+el8.7.0+16772+33343656, …), 1315 product×package rows across 316 product lines (Container rancher/elemental-teal-iso/5.4, Container rancher/elemental-teal-rt/5.4, … (316 product lines)): Fixed 1223, Known Affected 70, Known Not Affected 22.	https://www.suse.com/security/cve/CVE-2022-29162/
`ubuntu`	low	CVE-2022-29162 low priority: Ubuntu including 1 source packages (runc), 9 status rows across 9 suites (bionic, focal, impish, jammy, kinetic, lunar, trusty, upstream, xenial): released 6, ignored 2, not-affected 1.	https://ubuntu.com/security/CVE-2022-29162

Affected software / configurations for CVE-2022-29162

Vendor	Product	Version	Raw CPE
linuxfoundation	runc	< 1.1.2	cpe:2.3:a:linuxfoundation:runc::::::::
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
fedoraproject	fedora	35	cpe:2.3:o:fedoraproject:fedora:35:::::::*
fedoraproject	fedora	36	cpe:2.3:o:fedoraproject:fedora:36:::::::*

References for CVE-2022-29162

URL	Tags
https://github.com/opencontainers/runc/commit/d04de3a9b72d7a2455c1885fc75eb36d02cd17b5	Patch Third Party Advisory
https://github.com/opencontainers/runc/releases/tag/v1.1.2	Release Notes Third Party Advisory
https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVPZBV7ISA7QKRPTC7ZXWKMIQI2HZEBB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D77CKD3AXPMU4PMQIQI5Q74SI4JATNND/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GPQU4YC4AAY54JDXGDQHJEYKSXXG5T2Y/

URL

CVE-2022-29162 | Incorrect Default Permissions in runc

Exploit prediction scoring system (EPSS) score for CVE-2022-29162

Common vulnerability scoring system (CVSS) metrics for CVE-2022-29162

Weakness enumeration for CVE-2022-29162

GitHub Security Advisory for CVE-2022-29162

OS Trackers for CVE-2022-29162

Affected software / configurations for CVE-2022-29162

References for CVE-2022-29162