skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
May 25, 2023

GHSL-2023-046: Local Privilege Escalation in sccache - CVE-2023-1521

GitHub Security Lab

Coordinated Disclosure Timeline


On Linux the sccache client can execute arbitrary code with the privileges of a local sccache server, by preloading the code in a shared library passed to LD_PRELOAD.

If the server is run as root (which is the default when installing the snap package), this means a user running the sccache client can get root privileges.



Tested Versions

The v2.2 snap package and a relatively recent commit. (Tested on Ubuntu 22.10.)


Issue: client can run code with local server privileges (GHSL-2023-046)

When the sccache sends a compile request to the server, it includes a copy of the local environment (src/

let req = Request::Compile(Compile {
    exe: exe.as_ref().to_owned().into(),
    cwd: cwd.as_ref().to_owned().into(),
    args: args.iter().map(|a| a.as_ref().to_owned()).collect(),
    env_vars,   <----- copy of local environment

The server executes the compile command with those same environment variables. An attacker can exploit this by setting the LD_PRELOAD environment variable to the absolute path of a malicious shared library. If the server is running as root (which is how it is configured in the snap package) then this enables an unprivileged local user to gain root privileges.

Note that there is already a FIXME comment in the code warning of this risk (src/

// FIXME: Maybe we should strip out `LD_PRELOAD` always?

To reproduce the vulnerability, first install sccache:

sudo snap install --candidate sccache --classic

Then build run from the attached tarball:


The script creates a root-owned file: /oops_I_shouldnt_be_here


A regular user on a Linux machine with a system-wide sccache installation running the server as root (such as one installed via the snap package) can gain full administrative access to the machine.



This issue was discovered and reported by @redsun82 (Paolo Tranquilli).


You can contact the GHSL team at, please include a reference to GHSL-2023-046 in any communication regarding this issue.