Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local and requires CAP_NET_ADMIN (AV:L/PR:L); the real effect is namespace-isolation loss with limited, unconfirmed C/I/A rather than the automated C:H/I:H/A:H.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ip6_vti: set netns_immutable on the fallback device.
john1988 and Noam Rathaus reported that vti6_init_net() does not set the netns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).
Other similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel) correctly set this flag during their fallback device initialization to prevent them from being moved to another network namespace.
AnalysisAI
Improper network-namespace isolation in the Linux kernel's IPv6 VTI (ip6_vti) tunnel driver allows the per-netns fallback device (ip6_vti0) to be relocated into another network namespace, because vti6_init_net() omits the netns_immutable flag that sibling tunnel drivers (ip6_tunnel, sit, ip6_gre, ip_tunnel) all set. A local user holding CAP_NET_ADMIN in a namespace can move this fallback device, breaking the isolation guarantee the kernel enforces for other fallback tunnels and potentially destabilizing networking state. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access plus CAP_NET_ADMIN (PR:L) within a network namespace that has an ip6_vti0 fallback device - i.e., the ip6_vti module must be loaded/in use. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and skew lower than the headline CVSS of 7.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with CAP_NET_ADMIN inside a container or unprivileged network namespace uses standard rtnetlink/ip-link operations to move the ip6_vti0 fallback device, which the kernel failed to mark immutable, into another network namespace - undermining the isolation the platform relies on between tenants or between container and host. No public exploit code is identified, and exploitation is constrained to local, privileged contexts (AV:L/PR:L). |
| Remediation | Upgrade to a fixed stable kernel: vendor-released patches are available in Linux 6.18.36, 7.0.13, and 7.1 (and backported stable branches), with upstream fix commits ecf8904067dc, dcdce3bc9f08, and d289d5307762 available at git.kernel.org/stable. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify systems and containers using IPv6 VTI tunnels by checking kernel module status (ip6_vti) and network device configurations; assess exposure in container orchestration platforms. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38033
GHSA-4q3h-784r-7xp4