Skip to main content

Linux Kernel EUVDEUVD-2026-28697

| CVE-2026-43391 HIGH
2026-05-08 Linux GHSA-986c-6cjh-r8fc
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:32 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
HIGH 8.8
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nsfs: tighten permission checks for handle opening

Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts.

AnalysisAI

Insufficient permission checks in Linux kernel nsfs (namespace filesystem) allow low-privileged local users to access other processes' namespaces, potentially escalating privileges across namespace boundaries and leaking sensitive information between isolated services. The vulnerability affects kernel versions before 6.19.9 and 7.0, with patches available in stable branches d2324a9317f0 and 1797ee11451f. EPSS score of 0.02% (5th percentile) indicates low current exploitation probability, and no active exploitation or public POC has been identified in CISA KEV or public sources. The CVSS 8.8 (High) rating reflects scope change (S:C) indicating privilege escalation across security boundaries - a critical concern for containerized environments where namespace isolation is foundational to multi-tenant security.

Technical ContextAI

The vulnerability resides in nsfs, the Linux kernel's namespace filesystem that exposes namespace file descriptors through /proc/[pid]/ns/. Namespaces are the fundamental isolation primitive for containers (Docker, Kubernetes, LXC), isolating PID, network, mount, user, IPC, UTS, and cgroup resources between processes. The nsfs code path for opening namespace handles via file descriptors lacked proper permission validation, allowing privileged processes to access namespaces belonging to other privileged processes when they should be mutually isolated. The fix introduces the may_see_all_namespaces() helper function to centralize namespace visibility policy enforcement until the in-development nstree framework provides comprehensive namespace tree access control. This affects all Linux kernel configurations with namespace support enabled (CONFIG_NAMESPACES=y), which is standard in virtually all modern distributions and mandatory for container runtimes.

RemediationAI

Update to Linux kernel 6.19.9 or later for the 6.x stable branch (patch commit d2324a9317f00013facb0ba00b00440e19d2af5e), or kernel 7.0 or later for mainline (patch commit 1797ee11451f1b2be69863a9f5bd43b948813fdf). Distribution-specific patched packages: for RHEL/CentOS use 'yum update kernel' after vendor backport release; for Ubuntu/Debian use 'apt update && apt upgrade linux-image-generic'; for SUSE use 'zypper update kernel-default'. Verify patched kernel with 'uname -r' and reboot to activate. If immediate patching is not feasible, implement defense-in-depth controls: (1) Restrict CAP_SYS_PTRACE and CAP_SYS_ADMIN capabilities in container security policies (Kubernetes PodSecurityPolicy/PodSecurity standards, Docker seccomp profiles) to limit namespace traversal abilities - trade-off is breaking legitimate debugging tools like strace; (2) Enable AppArmor or SELinux mandatory access control with strict namespace access profiles to prevent cross-namespace file descriptor operations - adds operational complexity for legitimate multi-namespace tools; (3) Use user namespaces (CONFIG_USER_NS) with non-overlapping UID/GID ranges to create additional permission boundaries - requires reconfiguring container UID mappings and may break applications expecting specific UIDs. Monitor /proc/[pid]/ns/ access patterns via auditd rules ('auditctl -w /proc/ -p r -k namespace_access') to detect reconnaissance attempts. Workarounds provide partial mitigation only; kernel patching remains the definitive fix. Full advisories and patches: https://git.kernel.org/stable/c/1797ee11451f1b2be69863a9f5bd43b948813fdf.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28697 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy