Inheritance Tax: Resurrecting Privileges in Docker & Buildah (CVE-2022-27651)
Jan 2, 2026·6 min read·3 visits
Executive Summary (TL;DR)
Docker and Buildah accidentally left the 'Inheritable' capability set wide open. By default, containers should start with this set empty. Because it wasn't, a process inside a container could elevate its privileges back up to the Bounding Set limits simply by executing a binary with specific file capabilities attached, effectively bypassing security profiles that rely on dropping capabilities from the Effective set.
A logic flaw in Buildah and Moby (Docker Engine) allowed containers to start with a non-empty Inheritable capability set. This subtle misconfiguration permits attackers to 'resurrect' privileges that were intended to be restricted, bypassing container hardening measures by leveraging file capabilities.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Buildah Containers Project | <= 1.24.0 | 1.25.0 |
Moby (Docker) Moby Project | < 20.10.14 | 20.10.14 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-276 (Incorrect Default Permissions) |
| CVSS v3.1 | 6.6 (Medium) |
| Attack Vector | Local (Container Internal) |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
MITRE ATT&CK Mapping
The application creates a process with an inheritable capability set that is not properly restricted, allowing child processes to acquire privileges intended to be dropped.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.