CVE-2026-30892: crun Container Runtime Flaw Allows Privilege Escalation via `--user` Option

A critical security flaw in the open-source crun container runtime enables local privilege escalation, allowing a user to gain root-level access. The vulnerability, tracked as CVE-2026-30892, stems from a parsing error in the `crun exec` command. When a user specifies the `--user` option with the value `1`, the system incorrectly interprets this as root (User ID 0 and Group ID 0) instead of the intended User ID 1. This misinterpretation grants the executing process elevated privileges beyond its intended scope, creating a direct path for a local attacker to escalate their access on the host system.

The flaw specifically affects crun versions prior to 1.27-1.el9_7, as evidenced by a recent security update in an RPM lockfile that upgraded crun from version 1.26-1.el9_7 to patch this issue. crun is a core OCI-compliant container runtime, widely used as a lower-level component in container ecosystems, including those built on Podman and CRI-O. Its role in handling container execution makes this vulnerability particularly sensitive, as it strikes at the fundamental isolation boundary between containers and the host operating system.

While rated as 'Moderate' severity by Red Hat, the impact is significant for any environment relying on crun for container orchestration. Successful exploitation could compromise container isolation, allowing an attacker to break out of a container or perform unauthorized actions on the host. System administrators and DevOps teams are urged to verify their crun version and apply the update to 1.27-1.el9_7 immediately. The fix corrects the parsing logic for the `--user` argument, closing this privilege escalation vector. Ongoing scrutiny of container runtime security remains essential as such low-level components form the bedrock of modern, multi-tenant cloud infrastructure.