The Dangerous Inheritance: How CVE-2022-27651 Broke Container Least Privilege

Alon Barad

Software Engineer

Jan 2, 2026·5 min read·0 visits

PoC Available

Executive Summary (TL;DR)

Buildah and Docker Engine (Moby) were initializing containers with a fully populated 'Inheritable' capability set. This violated the principle of least privilege, allowing processes within the container to easily elevate their privileges to the container's maximum bounding set simply by executing binaries with file capabilities set. It's a classic case of "default insecure" configuration.

A deep dive into a subtle but significant flaw in how Buildah and Docker Engine initialized Linux process capabilities. By misconfiguring the Inheritable set, these runtimes allowed unintended privilege escalation within containers, turning the complex mathematics of Linux permissions against the security model.

Attack Flow Diagram

Official Patches

BuildahBuildah Security Advisory

MobyMoby Security Advisory

Fix Analysis (1)

Technical Appendix

CVSS Score

6.8/ 10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Probability

0.13%

Top 100% most exploited

Affected Systems

Buildah (versions <= 1.24.0)Moby / Docker Engine (versions < 20.10.9)Podman (via Buildah dependency)

Affected Versions Detail

Product	Affected Versions	Fixed Version
Buildah Containers	<= 1.24.0	1.25.0
Moby (Docker) Moby Project	< 20.10.9	20.10.9

Attribute	Detail
CWE ID	CWE-276
Attack Vector	Local (Container)
CVSS	6.8 (Medium)
Impact	Privilege Escalation (Intra-Container)
Exploit Status	PoC Available
Vulnerable Component	OCI Runtime Spec Generation