CVE-2022-27651
6.80.13%
The Dangerous Inheritance: How CVE-2022-27651 Broke Container Least Privilege
Alon Barad
Software EngineerJan 2, 2026·5 min read·1 visit
PoC Available
Executive Summary (TL;DR)
Buildah and Docker Engine (Moby) were initializing containers with a fully populated 'Inheritable' capability set. This violated the principle of least privilege, allowing processes within the container to easily elevate their privileges to the container's maximum bounding set simply by executing binaries with file capabilities set. It's a classic case of "default insecure" configuration.
A deep dive into a subtle but significant flaw in how Buildah and Docker Engine initialized Linux process capabilities. By misconfiguring the Inheritable set, these runtimes allowed unintended privilege escalation within containers, turning the complex mathematics of Linux permissions against the security model.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
6.8/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NEPSS Probability
0.13%
Top 100% most exploited
Affected Systems
Buildah (versions <= 1.24.0)Moby / Docker Engine (versions < 20.10.9)Podman (via Buildah dependency)
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Buildah Containers | <= 1.24.0 | 1.25.0 |
Moby (Docker) Moby Project | < 20.10.9 | 20.10.9 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-276 |
| Attack Vector | Local (Container) |
| CVSS | 6.8 (Medium) |
| Impact | Privilege Escalation (Intra-Container) |
| Exploit Status | PoC Available |
| Vulnerable Component | OCI Runtime Spec Generation |
MITRE ATT&CK Mapping
CWE-276
Incorrect Default Permissions
Incorrect Default Permissions
Known Exploits & Detection
Vulnerability Timeline
CVE Published
2022-04-04
Patch Committed (Buildah)
2022-03-23
Advisory Released
2022-04-04