CVE-2026-30892

low-risk

Published 2026-03-26

crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

Affected Products (1)

Crun

Affected Vendors

Crun Project

References (3)

Patch https://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b...

Product https://github.com/containers/crun/releases/tag/1.27

Exploit https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj

/ 100

low-risk

Severity 4/34 · Minimal

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal