CVE-2016-3697

high

Published 2016-06-01 · Modified 2026-02-04

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

7.8

Description

libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2016-3697 NameCVE-2016-3697 Descriptionlibcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE,…

CVE-2016-3697

Name	CVE-2016-3697
Description	libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
docker.io (PTS)	bullseye	20.10.5+dfsg1-1+deb11u2	fixed
	bullseye (security)	20.10.5+dfsg1-1+deb11u4	fixed
	bookworm	20.10.24+dfsg1-1+deb12u1	fixed
	trixie	26.1.5+dfsg1-9	fixed
	forky, sid	28.5.2+dfsg4-2	fixed
runc (PTS)	bullseye	1.0.0~rc93+ds1-5+deb11u5	fixed
	bullseye (security)	1.0.0~rc93+ds1-5+deb11u3	fixed
	bookworm, bookworm (security)	1.1.5+ds1-1+deb12u1	fixed
	trixie	1.1.15+ds1-2	fixed
	forky, sid	1.3.5+ds1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
docker.io	source	(unstable)	(not affected)
runc	source	(unstable)	0.1.0+dfsg-1

Notes

- docker.io <not-affected> (Vulnerable code not present)
Affected file not present, but docker.io probably needs to be rebuild with fixed runc
https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091 (runc, v0.1.0)
https://github.com/docker/docker/commit/da38ac6c79fe902ed0687afc73d731c95c6d491a (docker)

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

- docker.io <not-affected> (Vulnerable code not present)Affected file not present, but docker.io probably needs to be rebuild with fixed runchttps://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091 (runc, v0.1.0)https://github.com/docker/docker/commit/da38ac6c79fe902ed0687afc73d731c95c6d491a (docker)

OS impact

SUSE Affected 2 releases

Version	Status	Fixed in
13.2	Affected	—
—	Affected	—

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`0`
sid	Fixed	`0`
forky	Fixed	`0`
bullseye	Fixed	`0`
bookworm	Fixed	`0`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Go	github.com/opencontainers/runc	`<0.1.0`	`0.1.0`

Application impact

Vendor	Product	Versions	Fixed
docker	docker	`{"endIncluding":"1.11.1"}`
linuxfoundation	runc	`{"endIncluding":"0.0.9"}`

References

CWEs

CWE-264

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.