Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Local unprivileged user (PR:L) needs only userns creation (AC:L); crossing into an inherited netns is a scope change (S:C); impact is mainly network admin control (I:H/A:H) with limited direct data disclosure (C:L).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
/dev/ppp open is currently authorized against file->f_cred->user_ns, while unattached administrative ioctls operate on current->nsproxy->net_ns.
As a result, a local unprivileged user can create a new user namespace with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace, and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against an inherited network namespace.
Require CAP_NET_ADMIN in the user namespace that owns the target network namespace before handling unattached PPP administrative ioctls.
This preserves normal pppd operation in the network namespace it is actually privileged in, while rejecting the userns-only inherited-netns case.
AnalysisAI
Local privilege escalation in the Linux kernel's PPP driver allows an unprivileged user to issue network-administration ioctls against a network namespace they should not control. The /dev/ppp device authorizes opens against the file owner's user namespace (f_cred->user_ns) while unattached administrative ioctls act on current->nsproxy->net_ns, so a user who creates a new user namespace via CLONE_NEWUSER and gains CAP_NET_ADMIN only there can still invoke PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against an inherited (parent) network namespace. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) local code execution as an unprivileged user on the target host, (2) the ability to create a new user namespace via CLONE_NEWUSER - i.e., unprivileged user namespaces must be enabled (disabled by default on some hardened distributions, which fully blocks the attack), and (3) access to open the /dev/ppp device. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and point to a real but bounded, local-only privilege issue rather than an internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unprivileged local user (for example a low-privileged shell on a shared or container host) calls unshare(CLONE_NEWUSER) to create a user namespace where they hold CAP_NET_ADMIN, opens /dev/ppp, and then issues PPPIOCNEWUNIT/PPPIOCATTACH/PPPIOCATTCHAN ioctls that take effect in the inherited parent network namespace they were never authorized to administer. This lets them create and attach PPP units/channels and manipulate networking in a namespace outside their privilege boundary, undermining tenant isolation. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1, or the corresponding patched build from your distribution. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Linux systems and identify which are running PPP driver and user namespace features; prioritize high-privilege user accounts and systems in shared environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38943
GHSA-v495-j4w2-68hc