CVE-2026-43391

Description

In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for handle opening Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel (修复补丁发布前的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-43391: nsfs permission check bypass
 * This code attempts to open a namespace handle that should be restricted.
 * Compile: gcc -o poc_nsfs poc_nsfs.c
 */

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>

int main(int argc, char *argv[]) {
    int fd;
    // Attempting to open a specific namespace handle directly
    // In a vulnerable version, this might succeed without proper checks.
    const char *ns_path = "/proc/self/ns/mnt";
    
    printf("[*] Attempting to open namespace handle: %s\n", ns_path);
    
    fd = open(ns_path, O_RDONLY);
    if (fd < 0) {
        perror("[-] Failed to open namespace");
        return 1;
    }
    
    printf("[+] Namespace handle opened successfully (fd=%d)\n", fd);
    printf("[+] Potential vulnerability confirmed if access was unexpected.\n");
    
    close(fd);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43391
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43391
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43391/
[4] VulDB https://vuldb.com/cve/CVE-2026-43391
[5] https://git.kernel.org/stable/c/1797ee11451f1b2be69863a9f5bd43b948813fdf
[6] https://git.kernel.org/stable/c/d2324a9317f00013facb0ba00b00440e19d2af5e

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43391", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:50.490", "lastModified": "2026-05-11T08:16:12.803", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnsfs: tighten permission checks for handle opening\n\nEven privileged services should not necessarily be able to see other\nprivileged service's namespaces so they can't leak information to each\nother. Use may_see_all_namespaces() helper that centralizes this policy\nuntil the nstree adapts."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 6.0}]}, "references": [{"url": "https://git.kernel.org/stable/c/1797ee11451f1b2be69863a9f5bd43b948813fdf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d2324a9317f00013facb0ba00b00440e19d2af5e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}