Sign In

CVE-2025-64761

ADVISORY - github

Summary

Impact

Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when:

  1. An operator in the root namespace has access to identity/groups endpoints.
  2. An operator does not have policy access.

Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability.

Patches

Patched in version 2.4.4.

Workarounds

Users should audit the use of identity subsystem and deny operators access if it is not in use.

EPSS Score: 0.00039 (0.116)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-266

Incorrect Privilege Assignment

ADVISORY - github

CWE-266

Incorrect Privilege Assignment

CWE-269

Improper Privilege Management

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in