CVE-2022-29162 in runc
Summary
by MITRE • 05/18/2022
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/11/2026
The vulnerability identified as CVE-2022-29162 affects runc, a critical container runtime tool that implements the Open Container Initiative specification for container execution on Linux systems. This flaw represents a capability inheritance issue that fundamentally alters the expected security boundaries of containerized processes. The bug exists in runc versions prior to 1.1.2 and creates a scenario where processes spawned through the runc exec command with explicit capability assignments retain inheritable capabilities that should not be present in the typical execution context. This behavior creates an anomalous Linux environment that violates standard security assumptions about process capability management and privilege escalation vectors.
The technical root cause of this vulnerability lies in how runc handles Linux process capabilities during the execve system call execution. Specifically, when using the `runc exec --cap` command, the tool incorrectly maintains non-empty inheritable capability sets in the spawned processes. According to the Linux capability model, inheritable capabilities should be carefully managed to prevent unintended privilege escalation. The flaw allows programs that possess inheritable file capabilities to elevate these to the permitted set during execve operations, effectively bypassing the intended security boundaries of container isolation. This mechanism aligns with CWE-250, which addresses "Execute Code with Unusual or Unconventional Privilege Level" and CWE-269, addressing "Improper Privilege Management or Failure to Check Privilege Level". The vulnerability exploits the Linux capability inheritance mechanism described in the kernel documentation, where capabilities in the inheritable set can be promoted to the permitted set upon process execution.
The operational impact of this vulnerability extends beyond simple capability inheritance issues to potentially compromise container security boundaries. While the bug does not directly affect the container's security sandbox since the inheritable set never contained more capabilities than the container's bounding set, it creates a dangerous precedent for privilege escalation within the container environment. An attacker could potentially leverage this behavior to escalate privileges within a container, particularly if the container has access to files with inheritable capabilities. The vulnerability represents a significant concern for containerized environments where multiple processes with different privilege levels interact, as it creates unexpected capability propagation paths. According to ATT&CK framework reference T1548.001, this vulnerability could enable privilege escalation techniques through capability manipulation, while T1068 addresses the exploitation of local privilege escalation vulnerabilities in containerized environments.
The fix implemented in runc version 1.1.2 addresses this issue by modifying the behavior of `runc exec --cap` to ensure that additional capabilities granted to processes do not include inheritable capabilities. This change eliminates the anomalous capability inheritance that previously enabled privilege escalation vectors. Additionally, the `runc spec` command was updated to not set any inheritable capabilities in the default OCI specification file, ensuring that new container configurations start with a clean capability state. This remediation approach follows the principle of least privilege by eliminating unnecessary capability inheritance and prevents the scenario where inheritable file capabilities could be elevated to permitted status during process execution. The fix aligns with security best practices for container runtime implementations and ensures that containerized applications maintain proper capability boundaries as defined by the Linux capability model. Organizations should immediately upgrade to runc 1.1.2 or later versions to eliminate this vulnerability and maintain secure container execution environments.