Skip to main content

Linux Kernel EUVDEUVD-2026-38033

| CVE-2026-52909 HIGH
2026-06-19 Linux GHSA-4q3h-784r-7xp4
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.3 MEDIUM

Local and requires CAP_NET_ADMIN (AV:L/PR:L); the real effect is namespace-isolation loss with limited, unconfirmed C/I/A rather than the automated C:H/I:H/A:H.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 28, 2026 - 10:30 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
CVE Published
Jun 19, 2026 - 14:43 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 19, 2026 - 14:43 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ip6_vti: set netns_immutable on the fallback device.

john1988 and Noam Rathaus reported that vti6_init_net() does not set the netns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).

Other similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel) correctly set this flag during their fallback device initialization to prevent them from being moved to another network namespace.

AnalysisAI

Improper network-namespace isolation in the Linux kernel's IPv6 VTI (ip6_vti) tunnel driver allows the per-netns fallback device (ip6_vti0) to be relocated into another network namespace, because vti6_init_net() omits the netns_immutable flag that sibling tunnel drivers (ip6_tunnel, sit, ip6_gre, ip_tunnel) all set. A local user holding CAP_NET_ADMIN in a namespace can move this fallback device, breaking the isolation guarantee the kernel enforces for other fallback tunnels and potentially destabilizing networking state. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local CAP_NET_ADMIN in a namespace
Delivery
Target unprotected ip6_vti0 fallback device
Exploit
Issue rtnetlink change-netns on the device
Execution
Relocate device across namespace boundary
Impact
Break network-namespace isolation

Vulnerability AssessmentAI

Exploitation Exploitation requires local access plus CAP_NET_ADMIN (PR:L) within a network namespace that has an ip6_vti0 fallback device - i.e., the ip6_vti module must be loaded/in use. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and skew lower than the headline CVSS of 7.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with CAP_NET_ADMIN inside a container or unprivileged network namespace uses standard rtnetlink/ip-link operations to move the ip6_vti0 fallback device, which the kernel failed to mark immutable, into another network namespace - undermining the isolation the platform relies on between tenants or between container and host. No public exploit code is identified, and exploitation is constrained to local, privileged contexts (AV:L/PR:L).
Remediation Upgrade to a fixed stable kernel: vendor-released patches are available in Linux 6.18.36, 7.0.13, and 7.1 (and backported stable branches), with upstream fix commits ecf8904067dc, dcdce3bc9f08, and d289d5307762 available at git.kernel.org/stable. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify systems and containers using IPv6 VTI tunnels by checking kernel module status (ip6_vti) and network device configurations; assess exposure in container orchestration platforms. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38033 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy