DEBIAN-CVE-2026-41579

Source
https://security-tracker.debian.org/tracker/CVE-2026-41579
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41579.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-41579
Upstream
  • CVE-2026-41579
Published
2026-07-01T02:17:00.193Z
Modified
2026-07-01T18:00:14.459860103Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join string which allow an image with /dev as a symlink to trick runc into deleting files called ptmx on the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This issue is not exploitable under Docker, because Docker creates a top-level read-only layer that masks any malicious /dev symlink present in the container image — unlike some other Linux container tooling, whose higher-level runtimes built on runc remain exposed to exploitation via a malicious image. This issue has been fixed in versions 1.3.6, 1.4.3 and 1.5.0.

References

Affected packages

Debian:11 / runc

Package

Name
runc
Purl
pkg:deb/debian/runc?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.0~rc93+ds1-5
1.0.0~rc93+ds1-5+deb11u1
1.0.0~rc93+ds1-5+deb11u2
1.0.0~rc93+ds1-5+deb11u3
1.0.0~rc93+ds1-5+deb11u4
1.0.0~rc93+ds1-5+deb11u5
1.0.0~rc93.144.g6538f9f2+ds1-1
1.0.0~rc94+ds1-1
1.0.0~rc94+ds1-2
1.0.0~rc95.86.g2f8e8e9d+ds1-1
1.0.0+ds1-1
1.0.1+ds1-1
1.0.1+ds1-2
1.0.2+ds1-1
1.0.2+ds1-2
1.0.3+ds1-1
1.1.0~rc.1+ds1-1
1.1.0+ds1-1
1.1.1+ds1-1
1.1.3+ds1-1
1.1.3+ds1-2
1.1.3+ds1-3
1.1.3+ds1-4
1.1.3+ds1-5
1.1.3+ds1-6
1.1.3+ds1-7
1.1.4+ds1-1
1.1.5+ds1-1
1.1.5+ds1-2
1.1.5+ds1-3
1.1.5+ds1-4
1.1.5+ds1-5
1.1.10+ds1-1
1.1.12+ds1-1
1.1.12+ds1-2
1.1.12+ds1-3
1.1.12+ds1-4
1.1.12+ds1-5
1.1.12+ds1-5.1
1.1.15+ds1-1
1.1.15+ds1-2
1.3.0+ds1-1
1.3.0+ds1-2
1.3.0+ds1-3
1.3.0+ds1-4
1.3.2+ds1-1
1.3.3+ds1-1
1.3.3+ds1-2
1.3.3+ds1-3
1.3.5+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41579.json"

Debian:12 / runc

Package

Name
runc
Purl
pkg:deb/debian/runc?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.1.5+ds1-1
1.1.5+ds1-1+deb12u1
1.1.5+ds1-2
1.1.5+ds1-3
1.1.5+ds1-4
1.1.5+ds1-5
1.1.10+ds1-1
1.1.12+ds1-1
1.1.12+ds1-2
1.1.12+ds1-3
1.1.12+ds1-4
1.1.12+ds1-5
1.1.12+ds1-5.1
1.1.15+ds1-1
1.1.15+ds1-2
1.3.0+ds1-1
1.3.0+ds1-2
1.3.0+ds1-3
1.3.0+ds1-4
1.3.2+ds1-1
1.3.3+ds1-1
1.3.3+ds1-2
1.3.3+ds1-3
1.3.5+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41579.json"

Debian:13 / runc

Package

Name
runc
Purl
pkg:deb/debian/runc?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.1.15+ds1-2
1.3.0+ds1-1
1.3.0+ds1-2
1.3.0+ds1-3
1.3.0+ds1-4
1.3.2+ds1-1
1.3.3+ds1-1
1.3.3+ds1-2
1.3.3+ds1-3
1.3.5+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41579.json"

Debian:14 / runc

Package

Name
runc
Purl
pkg:deb/debian/runc?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.1.15+ds1-2
1.3.0+ds1-1
1.3.0+ds1-2
1.3.0+ds1-3
1.3.0+ds1-4
1.3.2+ds1-1
1.3.3+ds1-1
1.3.3+ds1-2
1.3.3+ds1-3
1.3.5+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41579.json"