Google Gvisor
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Google Gvisor.
By the Year
In 2026 there have been 0 vulnerabilities in Google Gvisor. Last year, in 2025 Gvisor had 3 security vulnerabilities published. Right now, Gvisor is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 3 | 6.13 |
| 2024 | 1 | 6.50 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 3 | 8.30 |
It may take a day or so for new Gvisor vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Google Gvisor Security Vulnerabilities
Google gVisor runsc LPE via incorrect file permission handling
CVE-2025-2713
7.8 - High
- March 28, 2025
Google gVisor's runsc component exhibited a local privilege escalation vulnerability due to incorrect handling of file access permissions, which allowed unprivileged users to access restricted files. This occurred because the process initially ran with root-like permissions until the first fork.
gVisor TCP/UDP source port prediction CVE-2024-10603
CVE-2024-10603
5.3 - Medium
- January 30, 2025
Weaknesses in the generation of TCP/UDP source ports and some other header values in Google's gVisor allowed them to be predicted by an external attacker in some circumstances.
gVisor Weak Hashing Enables IP & BootID Leakage
CVE-2024-10026
5.3 - Medium
- January 30, 2025
A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.
Inadequate Encryption Strength
DoS in Gvisor Sandbox due to reference counting bug (root mounts)
CVE-2023-7258
6.5 - Medium
- May 15, 2024
A denial of service exists in Gvisor Sandbox where a bug in reference counting code in mount point tracking could lead to a panic, making it possible for an attacker running as root and with permission to mount volumes to kill the sandbox. We recommend upgrading past commit 6a112c60a257dadac59962e0bc9e9b5aee70b5b6
Google gVisor before 2018-08-22 reuses a pagetable in a different level with the paging-structure cache intact, which
CVE-2018-20168
- December 17, 2018
Google gVisor before 2018-08-22 reuses a pagetable in a different level with the paging-structure cache intact, which allows attackers to cause a denial of service ("physical address not valid" panic) via a crafted application.
pkg/sentry/kernel/shm/shm.go in Google gVisor before 2018-11-01
CVE-2018-19333
9.8 - Critical
- November 17, 2018
pkg/sentry/kernel/shm/shm.go in Google gVisor before 2018-11-01 allows attackers to overwrite memory locations in processes running as root (but not escape the sandbox) via vectors involving IPC_RMID shmctl calls, because reference counting is mishandled.
Google gVisor before 2018-08-23, within the seccomp sandbox, permits access to the renameat system call, which
CVE-2018-16359
6.8 - Medium
- September 02, 2018
Google gVisor before 2018-08-23, within the seccomp sandbox, permits access to the renameat system call, which allows attackers to rename files on the host OS.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Google Gvisor or by Google? Click the Watch button to subscribe.
