Skip to main content

Linux Kernel EUVDEUVD-2026-32439

| CVE-2026-46057 LOW
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-q738-wcrr-x4xx
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
3.3 LOW

Local low-privilege call to landlock_restrict_self() required; only audit log flag integrity is lost, with no confidentiality or availability impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 16, 2026 - 15:13 vuln.today
CVSS changed
Jun 16, 2026 - 15:07 NVD
3.3 (LOW)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()

hook_cred_transfer() only copies the Landlock security blob when the source credential has a domain. This is inconsistent with landlock_restrict_self() which can set LOG_SUBDOMAINS_OFF on a credential without creating a domain (via the ruleset_fd=-1 path): the field is committed but not preserved across fork() because the child's prepare_creds() calls hook_cred_transfer() which skips the copy when domain is NULL.

This breaks the documented use case where a process mutes subdomain logs before forking sandboxed children: the children lose the muting and their domains produce unexpected audit records.

Fix this by unconditionally copying the Landlock credential blob.

AnalysisAI

Landlock LSM's credential transfer hook in the Linux kernel silently drops the LOG_SUBDOMAINS_OFF audit-muting flag across fork() boundaries, breaking the documented sandboxing pattern where a parent process suppresses subdomain audit logs before spawning sandboxed children. Affected kernels from commit ead9079f75696 onward across the 6.15, 6.18, and 7.x stable branches allow child processes to emit unexpected Landlock audit records the operator explicitly intended to suppress. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), and this is a logic correctness defect rather than a privilege-escalation or data-exfiltration path.

Technical ContextAI

Landlock is a Linux Security Module (LSM) that enables unprivileged process sandboxing via rulesets applied through the landlock_restrict_self() syscall. The credential lifecycle hook hook_cred_transfer() is responsible for copying the Landlock security blob (containing per-credential security state such as the ruleset domain and log-control flags) into child credential structs during fork(). The defect is that hook_cred_transfer() gates the entire blob copy on the presence of a non-NULL domain pointer. However, landlock_restrict_self() exposes a special ruleset_fd=-1 path that sets LOG_SUBDOMAINS_OFF on the calling process's credentials without creating any domain. Because domain is NULL in this case, hook_cred_transfer() skips the copy entirely on fork(), and the child credential struct is left with the flag at its zero/default value. The CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* covers the full kernel tree. No CWE is assigned by NVD; the closest classification is CWE-665 (Improper Initialization) - the child credential blob is not properly initialized from parent state - though an argument for CWE-284 (Improper Access Control) in an audit-control context is also defensible.

RemediationAI

Upstream fix available (commits at kernel.org); released patched versions confirmed as Linux 6.18.27, 7.0.4, and 7.1-rc1 per EUVD-2026-32439. Administrators should upgrade to the patched stable release appropriate for their kernel branch: apply the backport commit 2fcde49092aac55d5beef43fdd3633217672f7d1 for 6.18 series, 874c8f83826c95c62c21d9edfe9ef43e5c346724 for 6.15 series, or 1c513b8a00df13d231021e74ad92babb3fedf64a for 7.x. If immediate patching is not feasible and the deployment relies on Landlock subdomain log muting, a viable application-level workaround is to call landlock_restrict_self() with ruleset_fd=-1 in each child process after fork() rather than in the parent before fork(), explicitly setting LOG_SUBDOMAINS_OFF per-child. This requires application-level code changes and may not be practical in all architectures. Systems that do not use Landlock sandboxing or do not rely on the ruleset_fd=-1 log-muting path are unaffected and require no action.

Share

EUVD-2026-32439 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy