GHSA-C3G4-W6CV-6V7H

6.60.04%

Inheritance Tax: Resurrecting Privileges in Docker & Buildah (CVE-2022-27651)

Amit Schendel

Senior Security Researcher

Jan 2, 2026·6 min read·4 visits

PoC Available

Executive Summary (TL;DR)

Docker and Buildah accidentally left the 'Inheritable' capability set wide open. By default, containers should start with this set empty. Because it wasn't, a process inside a container could elevate its privileges back up to the Bounding Set limits simply by executing a binary with specific file capabilities attached, effectively bypassing security profiles that rely on dropping capabilities from the Effective set.

A logic flaw in Buildah and Moby (Docker Engine) allowed containers to start with a non-empty Inheritable capability set. This subtle misconfiguration permits attackers to 'resurrect' privileges that were intended to be restricted, bypassing container hardening measures by leveraging file capabilities.

Official Patches

BuildahGitHub Security Advisory with patch details

DockerDocker Engine 20.10.14 Release Notes

Fix Analysis (1)

Technical Appendix

CVSS Score

6.6/ 10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.04%

Top 100% most exploited

Affected Systems

Buildah <= 1.24.0Moby (Docker Engine) < 20.10.14Fedora 34 (containers-common)Fedora 35 (containers-common)Fedora 36 (containers-common)

Affected Versions Detail

Product	Affected Versions	Fixed Version
Buildah Containers Project	<= 1.24.0	1.25.0
Moby (Docker) Moby Project	< 20.10.14	20.10.14

Attribute	Detail
CWE ID	CWE-276 (Incorrect Default Permissions)
CVSS v3.1	6.6 (Medium)
Attack Vector	Local (Container Internal)
Privileges Required	Low
User Interaction	None
Scope	Unchanged

MITRE ATT&CK Mapping

T1548.001Abuse Elevation Control Mechanism: Setuid and Setgid

Privilege Escalation

T1611Escape to Host (Attempt)

Privilege Escalation

CWE-276

Incorrect Default Permissions

The application creates a process with an inheritable capability set that is not properly restricted, allowing child processes to acquire privileges intended to be dropped.

Known Exploits & Detection

Manual VerificationUse `grep CapInh /proc/self/status` inside a container. Non-zero values indicate vulnerability.

Vulnerability Timeline

CVE Published

2022-03-24

Docker 20.10.14 Released with Fix

2022-03-24

Buildah 1.25.0 Released with Fix

2022-03-24

GHSA-C3G4-W6CV-6V7H

6.60.04%

Inheritance Tax: Resurrecting Privileges in Docker & Buildah (CVE-2022-27651)

Amit Schendel

Senior Security Researcher

Jan 2, 2026·6 min read·4 visits

PoC Available

Executive Summary (TL;DR)

Attack Flow Diagram

Official Patches

BuildahGitHub Security Advisory with patch details

DockerDocker Engine 20.10.14 Release Notes

Fix Analysis (1)

Technical Appendix

CVSS Score

6.6/ 10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.04%

Top 100% most exploited

Affected Systems

Buildah <= 1.24.0Moby (Docker Engine) < 20.10.14Fedora 34 (containers-common)Fedora 35 (containers-common)Fedora 36 (containers-common)

Affected Versions Detail

Product	Affected Versions	Fixed Version
Buildah Containers Project	<= 1.24.0	1.25.0
Moby (Docker) Moby Project	< 20.10.14	20.10.14

Attribute	Detail
CWE ID	CWE-276 (Incorrect Default Permissions)
CVSS v3.1	6.6 (Medium)
Attack Vector	Local (Container Internal)
Privileges Required	Low
User Interaction	None
Scope	Unchanged

MITRE ATT&CK Mapping

T1548.001Abuse Elevation Control Mechanism: Setuid and Setgid

Privilege Escalation

T1611Escape to Host (Attempt)

Privilege Escalation

CWE-276

Incorrect Default Permissions

The application creates a process with an inheritable capability set that is not properly restricted, allowing child processes to acquire privileges intended to be dropped.

Known Exploits & Detection

Manual VerificationUse `grep CapInh /proc/self/status` inside a container. Non-zero values indicate vulnerability.

Vulnerability Timeline

CVE Published

2022-03-24

Docker 20.10.14 Released with Fix

2022-03-24

Buildah 1.25.0 Released with Fix

2022-03-24