Gvisor Sandbox Under Attack: Root Access Required for Panic

CVE-2023-7258

4.8MEDIUM

Key Information

Vendor: Google
Status: Gvisor
Vendor: CVE Published:; 15 May 2024

Summary

A denial of service exists in Gvisor Sandbox where a bug in reference counting code in mount point tracking could lead to a panic, making it possible for an attacker running as root and with permission to mount volumes to kill the sandbox. We recommend upgrading past commit 6a112c60a257dadac59962e0bc9e9b5aee70b5b6

Affected Version(s)

Gvisor < 6a112c60a257dadac59962e0bc9e9b5aee70b5b6

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published.
May 15, 2024
Vulnerability Reserved.
May 2, 2024

Collectors

NVD DatabaseMitre Database