CVE-2025-27612: 
Rust vulnerability analysis and mitigation

CVE-2025-27612 affects libcontainer, a library for container control, prior to version 0.5.3. The vulnerability was discovered and disclosed on March 21, 2025. The issue exists in the tenant builder functionality when creating a tenant container, where it incorrectly handles capability inheritance, potentially leading to capability elevation (GitHub Advisory).

The vulnerability occurs when the tenant builder accepts a list of capabilities to be added to the tenant container's spec. The logic adds the given capabilities to all capabilities of the main container if present in spec, or sets provided capabilities as capabilities of the tenant container. This implementation can lead to elevation of capabilities, similar to CVE-2022-29162. The issue has been assigned a CVSS v3.1 base score of 5.9 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (GitHub Advisory).

The vulnerability could allow for capability elevation within container environments. However, it's important to note that this does not affect the youki binary itself, as its exec implementation is partially broken and does not pass user-provided capabilities to tenant containers. The issue only impacts systems directly using libcontainer and specifically utilizing the tenant builder functionality (GitHub Advisory).

The vulnerability has been patched in libcontainer version 0.5.3. For those unable to upgrade, two workarounds are available: 1) Do not pass any user-provided capabilities to the tenant builder, which will result in no capabilities being set on the tenant, or 2) Verify the capabilities of the original container and filter the user-passed capabilities before setting them on the tenant (GitHub Advisory).