libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument.
{ "nvd_published_at": null, "cwe_ids": [ "CWE-284" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-05-17T15:26:35Z" }