Primary

Context

systemd nspawn Escape-to-Host Vulnerability via Crafted Optional Config File

Vulnerability

Patched

A vulnerability in systemd nspawn versions 233 through 259 prior to 260 allows for an escape-to-host action through a crafted optional configuration file. This issue arises from two parsing bugs that affect the 'PivotRoot=', 'BindUser=', and 'Ephemeral=' options. When exploited, the container is spawned on the host's root filesystem instead of the container image, with elevated privileges.

Impact

Exploitation of this vulnerability causes containers to be launched on the host's root filesystem with high privileges, rather than within the intended container environment.

Remediation

Users can update to systemd version 260, 259.4, 258.6, or 257.12, all of which include the necessary patches. Alternatively, as a temporary measure, users can sanitize storage directories to prevent the use of '.nspawn' configuration files or ensure that such files do not include the 'PivotRoot=', 'BindUser=', or 'Ephemeral=' options.

Added: Apr 10, 2026, 4:23 PM

Updated: Apr 10, 2026, 4:23 PM

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

10.0

exploitability

2.8

remediation

8.3

relevance

5.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

10.0

exploitability

2.8

remediation

8.3

relevance

5.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

systemd nspawn Escape-to-Host Vulnerability via Crafted Optional Config File

Vulnerability

Impact

Remediation

Affected Products

systemd-nspawn

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating