Gvisor Sandbox Under Attack: Root Access Required for Panic
CVE-2023-7258

4.8MEDIUM

Key Information:

Vendor: Google
Status: Gvisor
Vendor: CVE Published:; 15 May 2024

Summary

A denial of service exists in Gvisor Sandbox where a bug in reference counting code in mount point tracking could lead to a panic, making it possible for an attacker running as root and with permission to mount volumes to kill the sandbox. We recommend upgrading past commit 6a112c60a257dadac59962e0bc9e9b5aee70b5b6

Affected Version(s)

Gvisor 0b983ff832b175e406f4f9b1a3868457bb1ceb7b < 6a112c60a257dadac59962e0bc9e9b5aee70b5b6

References

https://github.com/google/gvisor/commit/6a112c60a257dadac...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 15, 2024
Vulnerability Reserved
May 2, 2024

Collectors

NVD DatabaseMitre Database