CVE-2026-47215: Singluarity: Incorrect path matching for 'limit container paths' directive
The limit container paths directive in singularity.conf is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may incorrectly be allowed.
For example, the configuration:
limit container paths = /data/safe
Will also allow containers in /data/safe-but-unsafe to be run.
References
- docs.sylabs.io/guides/latest/admin-guide/configfiles.html
- github.com/advisories/GHSA-wqcr-7rf3-f64m
- github.com/sylabs/singularity/commit/c08791793e843d4c9c1f2fc1d9d12abef747378f
- github.com/sylabs/singularity/releases/tag/v4.4.2
- github.com/sylabs/singularity/security/advisories/GHSA-wqcr-7rf3-f64m
- nvd.nist.gov/vuln/detail/CVE-2026-47215
Code Behaviors & Features
Detect and mitigate CVE-2026-47215 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →