Skip to main content

Linux Kernel CVE-2026-53075

| EUVDEUVD-2026-38943 HIGH
2026-06-24 Linux GHSA-v495-j4w2-68hc
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.7 HIGH

Local unprivileged user (PR:L) needs only userns creation (AC:L); crossing into an inherited netns is a scope change (S:C); impact is mainly network admin control (I:H/A:H) with limited direct data disclosure (C:L).

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:L/SA:L

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:04 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 8.8
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ppp: require CAP_NET_ADMIN in target netns for unattached ioctls

/dev/ppp open is currently authorized against file->f_cred->user_ns, while unattached administrative ioctls operate on current->nsproxy->net_ns.

As a result, a local unprivileged user can create a new user namespace with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace, and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against an inherited network namespace.

Require CAP_NET_ADMIN in the user namespace that owns the target network namespace before handling unattached PPP administrative ioctls.

This preserves normal pppd operation in the network namespace it is actually privileged in, while rejecting the userns-only inherited-netns case.

AnalysisAI

Local privilege escalation in the Linux kernel's PPP driver allows an unprivileged user to issue network-administration ioctls against a network namespace they should not control. The /dev/ppp device authorizes opens against the file owner's user namespace (f_cred->user_ns) while unattached administrative ioctls act on current->nsproxy->net_ns, so a user who creates a new user namespace via CLONE_NEWUSER and gains CAP_NET_ADMIN only there can still invoke PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against an inherited (parent) network namespace. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain unprivileged local shell
Delivery
Create user namespace via CLONE_NEWUSER (gain CAP_NET_ADMIN)
Exploit
Open /dev/ppp device
Execution
Issue PPPIOCNEWUNIT/PPPIOCATTACH ioctl against inherited netns
Impact
Administer PPP in unauthorized network namespace

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) local code execution as an unprivileged user on the target host, (2) the ability to create a new user namespace via CLONE_NEWUSER - i.e., unprivileged user namespaces must be enabled (disabled by default on some hardened distributions, which fully blocks the attack), and (3) access to open the /dev/ppp device. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a real but bounded, local-only privilege issue rather than an internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unprivileged local user (for example a low-privileged shell on a shared or container host) calls unshare(CLONE_NEWUSER) to create a user namespace where they hold CAP_NET_ADMIN, opens /dev/ppp, and then issues PPPIOCNEWUNIT/PPPIOCATTACH/PPPIOCATTCHAN ioctls that take effect in the inherited parent network namespace they were never authorized to administer. This lets them create and attach PPP units/channels and manipulate networking in a namespace outside their privilege boundary, undermining tenant isolation. …
Remediation Vendor-released patch: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1, or the corresponding patched build from your distribution. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Linux systems and identify which are running PPP driver and user namespace features; prioritize high-privilege user accounts and systems in shared environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53075 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy