Security Vulnerability Report
中文
CVE-2026-43403 CVSS 8.8 HIGH

CVE-2026-43403

Published: 2026-05-08 15:16:52
Last Modified: 2026-05-11 08:16:13
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for ns iteration ioctls Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel (具体版本请参考Git提交记录)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <linux/nsfs.h> // Conceptual Proof of Concept for CVE-2026-43403 // This code attempts to iterate namespaces using ioctls. // On a vulnerable system, this may reveal namespaces of other privileged services. int main() { int fd = -1; // Attempting to open a namespace file (e.g., init process ns) // In a real exploit, specific paths to nsfs would be targeted. fd = open("/proc/self/ns/net", O_RDONLY); if (fd < 0) { perror("open"); return 1; } // The vulnerability involves the permission checks during iteration ioctls. // While specific ioctl numbers depend on kernel headers, the logic below // represents the interaction that triggers the vulnerable path. printf("Attempting to interact with nsfs ioctls...\n"); // Pseudo-code representing the iteration logic that lacks strict checks // struct ns_ioctl_args args; // if (ioctl(fd, NS_GET_OWNER_UID, &args) < 0) { // perror("ioctl"); // } close(fd); printf("PoC execution finished.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43403", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:51.783", "lastModified": "2026-05-11T08:16:13.030", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnsfs: tighten permission checks for ns iteration ioctls\n\nEven privileged services should not necessarily be able to see other\nprivileged service's namespaces so they can't leak information to each\nother. Use may_see_all_namespaces() helper that centralizes this policy\nuntil the nstree adapts."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 6.0}]}, "references": [{"url": "https://git.kernel.org/stable/c/0ad650e60150eda789deca5e78a6a09d26bf8fc9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2f3dea284c761c890d676f77d5e55c0c496b4ef4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3376b345df155ca36d8611857b41ff7d5183fc38", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e6b899f08066e744f89df16ceb782e06868bd148", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.