DEBIAN-CVE-2019-5736

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2019-5736

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2019-5736.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2019-5736

Upstream

CVE-2019-5736

Published

2019-02-11T19:29:00Z

Modified

2025-09-30T03:54:35Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

References

https://security-tracker.debian.org/tracker/CVE-2019-5736

Affected packages

Debian:11

lxc

Package

Name: lxc
Purl: pkg:deb/debian/lxc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:3.1.0+really3.0.3-4

Ecosystem specific

{
    "urgency": "unimportant"
}

runc

Package

Name: runc
Purl: pkg:deb/debian/runc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.0~rc6+dfsg1-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12

lxc

Package

Name: lxc
Purl: pkg:deb/debian/lxc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:3.1.0+really3.0.3-4

Ecosystem specific

{
    "urgency": "unimportant"
}

runc

Package

Name: runc
Purl: pkg:deb/debian/runc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.0~rc6+dfsg1-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13

lxc

Package

Name: lxc
Purl: pkg:deb/debian/lxc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:3.1.0+really3.0.3-4

Ecosystem specific

{
    "urgency": "unimportant"
}

runc

Package

Name: runc
Purl: pkg:deb/debian/runc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.0~rc6+dfsg1-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14

lxc

Package

Name: lxc
Purl: pkg:deb/debian/lxc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:3.1.0+really3.0.3-4

Ecosystem specific

{
    "urgency": "unimportant"
}

runc

Package

Name: runc
Purl: pkg:deb/debian/runc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.0~rc6+dfsg1-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}