CVE-2025-2713

CVE-2025-2713 is a local privilege escalation vulnerability in the runsc component of Google gVisor, a user-space kernel for running containers securely. The flaw stems from incorrect handling of file access permissions, where the process initially executes with root-like permissions until the first fork, enabling unprivileged users to access restricted files. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-266 (Incorrect Privilege Assignment for Critical Resource).

A local attacker with low privileges, such as an unprivileged user on the host system, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to read, modify, or disrupt restricted files, resulting in high impacts on confidentiality, integrity, and availability—effectively escalating privileges to root-like access within the gVisor environment.

Mitigation is addressed in a patch committed to the gVisor repository at https://github.com/google/gvisor/commit/586c38d70081b13b2ed494cef48e99b93956843e, which security practitioners should review and apply to affected runsc deployments to correct the permission handling logic.