Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Local low-privilege call to landlock_restrict_self() required; only audit log flag integrity is lost, with no confidentiality or availability impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()
hook_cred_transfer() only copies the Landlock security blob when the source credential has a domain. This is inconsistent with landlock_restrict_self() which can set LOG_SUBDOMAINS_OFF on a credential without creating a domain (via the ruleset_fd=-1 path): the field is committed but not preserved across fork() because the child's prepare_creds() calls hook_cred_transfer() which skips the copy when domain is NULL.
This breaks the documented use case where a process mutes subdomain logs before forking sandboxed children: the children lose the muting and their domains produce unexpected audit records.
Fix this by unconditionally copying the Landlock credential blob.
AnalysisAI
Landlock LSM's credential transfer hook in the Linux kernel silently drops the LOG_SUBDOMAINS_OFF audit-muting flag across fork() boundaries, breaking the documented sandboxing pattern where a parent process suppresses subdomain audit logs before spawning sandboxed children. Affected kernels from commit ead9079f75696 onward across the 6.15, 6.18, and 7.x stable branches allow child processes to emit unexpected Landlock audit records the operator explicitly intended to suppress. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), and this is a logic correctness defect rather than a privilege-escalation or data-exfiltration path.
Technical ContextAI
Landlock is a Linux Security Module (LSM) that enables unprivileged process sandboxing via rulesets applied through the landlock_restrict_self() syscall. The credential lifecycle hook hook_cred_transfer() is responsible for copying the Landlock security blob (containing per-credential security state such as the ruleset domain and log-control flags) into child credential structs during fork(). The defect is that hook_cred_transfer() gates the entire blob copy on the presence of a non-NULL domain pointer. However, landlock_restrict_self() exposes a special ruleset_fd=-1 path that sets LOG_SUBDOMAINS_OFF on the calling process's credentials without creating any domain. Because domain is NULL in this case, hook_cred_transfer() skips the copy entirely on fork(), and the child credential struct is left with the flag at its zero/default value. The CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* covers the full kernel tree. No CWE is assigned by NVD; the closest classification is CWE-665 (Improper Initialization) - the child credential blob is not properly initialized from parent state - though an argument for CWE-284 (Improper Access Control) in an audit-control context is also defensible.
RemediationAI
Upstream fix available (commits at kernel.org); released patched versions confirmed as Linux 6.18.27, 7.0.4, and 7.1-rc1 per EUVD-2026-32439. Administrators should upgrade to the patched stable release appropriate for their kernel branch: apply the backport commit 2fcde49092aac55d5beef43fdd3633217672f7d1 for 6.18 series, 874c8f83826c95c62c21d9edfe9ef43e5c346724 for 6.15 series, or 1c513b8a00df13d231021e74ad92babb3fedf64a for 7.x. If immediate patching is not feasible and the deployment relies on Landlock subdomain log muting, a viable application-level workaround is to call landlock_restrict_self() with ruleset_fd=-1 in each child process after fork() rather than in the parent before fork(), explicitly setting LOG_SUBDOMAINS_OFF per-child. This requires application-level code changes and may not be practical in all architectures. Systems that do not use Landlock sandboxing or do not rely on the ruleset_fd=-1 log-muting path are unaffected and require no action.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32439
GHSA-q738-wcrr-x4xx