Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-4hj2-r2pm-3hc6

MEDIUM

Incorrect Default Permissions in CRI-O

Also known asCVE-2022-27652GO-2022-0426
Published
Apr 22, 2022
Updated
Mar 13, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.2%probability of exploitation in next 30 days
Lower Risk15th percentile+0.22%
0.00%0.25%0.49%0.74%0.0%0.2%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐹github.com/cri-o/cri-o

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Impact

A bug was found in CRI-O where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted.

This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set.

Patches

This bug will been fixed in the following versions of CRI-O:

  • v1.24.0

Users should update to the version corresponding to their minor release as soon as possible. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset.

This fix changes CRI-O behavior such that containers are started with a more typical Linux environment. Refer to capabilities(7) for a description of how capabilities work. Note that permitted file capabilities continue to allow for privileges to be raised up to the container's bounding set and that processes may add capabilities to their own inheritable set up to the container's bounding set per the rules described in the manual page. In all cases the container's bounding set provides an upper bound on the capabilities that can be assumed and provides for the container security sandbox.

Workarounds

The entrypoint of a container can be modified to use a utility like capsh(1) to drop inheritable capabilities prior to the primary process starting.

Credits

CRI-O would like to thank Andrew G. Morgan for responsibly disclosing this issue, as well as the Moby (Docker Engine) project for working with the other container engines in coordinating a fix.

For more information

If you have any questions or comments about this advisory:

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 4.8/Medium

MetricValueComments
Attack Vector (AV)LocalAn attacker requires local control to launch a container with files that have inheritable capabilities.
Attack Complexity (AC)LowModifying a file to have inheritable capabilities is not difficult.
Privileges Required (PR)LowAn attacker requires enough privilege to cause a container to be launched with a compromised image. Moby's API is typically bound to a local Unix domain socket and requires calls to be made from a process that is either UID 0 or present in the configured group.
User Interaction (UI)RequiredAn attacker must cause the compromised image to be run.
Scope (S)UnchangedThe container boundary set by Moby, including the bounding capability set, is not modified. A successful attack gains access to privileges and resources within the boundary, not outside of it.
Confidentiality (C)LowAn attacker may gain access to some confidential information through elevation of CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_SETFCAP, or CAP_SETPCAP, but the exposed information is limited to that which is already inside the container.
Integrity (I)LowAn attacker may be able to tamper with data inside the container through elevation of CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_SETFCAP, or CAP_SETPCAP, or spoof packets with CAP_NET_RAW, but the tampered data is limited to that which is already inside the container.
Availability (A)LowAn attacker may be able to affect the availability of an application running inside the container through elevation of CAP_KILL or CAP_NET_RAW, or may be able to affect availability through tampering with file dependencies.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/cri-o/cri-oall versions1.24.0

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/cri-o/cri-o. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/cri-o/cri-o to 1.24.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4hj2-r2pm-3hc6 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-4hj2-r2pm-3hc6 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-4hj2-r2pm-3hc6. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact A bug was found in CRI-O where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable fil
O3 Security · Impact-Aware SCA

Is GHSA-4hj2-r2pm-3hc6 in your dependencies?

O3 detects GHSA-4hj2-r2pm-3hc6 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works