Source: crun Version: 1.26-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1.21-1
Hi, The following vulnerability was published for crun. CVE-2026-30892[0]: | crun is an open source OCI Container Runtime fully written in C. In | versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) | is incorrectly parsed. The value `1` is interpreted as UID 0 and GID | 0 when it should have been UID 1 and GID 0. The process thus runs | with higher privileges than expected. Version 1.27 patches the | issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-30892 https://www.cve.org/CVERecord?id=CVE-2026-30892 [1] https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj Regards, Salvatore
