Skip to content

OSG-SEC-2018-12-12 Critical vulnerability in Singularity

Dear OSG Security Contacts,

The following announcement impacts sites running Singularity on RHEL7.


Singularity versions 2.4.0 through 2.6.0


This issue affects Singularity 2.4.0 through 2.6.0 on RHEL7 or any modern systemd-based distribution where mount points use shared mount propagation by default (CVE-2018-19295). A malicious user with access to the host system (e.g. SSH or running a payload) could exploit this vulnerability to mount arbitrary directories into the host, resulting in privilege escalation.

The vulnerability affects the setuid-root mode of singularity. The RHEL7.6 kernel supports the non-setuid root mode of singularity, but this mode has not yet been sufficiently tested for it to be a recommended workaround at this time.

OSG Security considers this vulnerability CRITICAL for sites running Singularity.


All sites should install Singularity version 2.6.1 as soon as possible and remove any old versions installed. Singularity 2.6.1 is available in the osg-testing repository; testing is still in progress. Release is planned for later today, December 12. To install from the testing repository, issue the following yum command:

yum install --enablerepo=osg-testing singularity

The release announcement from the Singularity project mentions a workaround of disabling shared mount propagation, but that adversely affects the visibility of cvmfs automount mount points inside of containers, so we do not recommend it; do the upgrade instead.


Please contact [email protected] if you have any questions or concerns.

Sincerely, Ryan Kiser on behalf of the OSG Security Team