CVE-2026-43391 Overview
CVE-2026-43391 affects the Linux kernel namespace filesystem (nsfs), where insufficient permission checks during handle opening allow privileged services to access namespaces belonging to other privileged services. The flaw exists in the namespace handle-open path, which previously did not enforce the may_see_all_namespaces() policy. As a result, isolated privileged workloads can leak information across what should be hard service boundaries. The vulnerability is local in scope but produces high impact across confidentiality, integrity, and availability when chained with namespace abuse. Upstream maintainers resolved the issue by routing handle opens through the centralized permission helper.
Critical Impact
A local authenticated process with low privileges can access other privileged services' namespaces, breaking isolation guarantees and exposing sensitive runtime state across containerized or service-isolated workloads.
Affected Products
- Linux kernel versions containing the nsfs handle-open path prior to commits 1797ee1 and d2324a9
- Linux distributions shipping unpatched kernels with namespace filesystem support enabled
- Container runtimes and orchestration platforms relying on namespace isolation for privileged service separation
Discovery Timeline
- 2026-05-08 - CVE-2026-43391 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43391
Vulnerability Analysis
The Linux kernel exposes namespaces through the nsfs pseudo-filesystem, allowing processes to obtain file descriptors that reference specific namespace instances. Opening a handle to a namespace returns a reference that can be passed to setns() or inspected via procfs-style operations. Prior to the fix, the handle-opening code did not enforce a unified policy on which caller may see which namespace. Privileged services running with elevated capabilities could therefore observe namespaces owned by unrelated privileged services. This breaks the operating assumption that namespace visibility is bounded by ownership and capability scope. The result is a cross-service information disclosure primitive that may be combined with other operations to achieve broader compromise.
Root Cause
The root cause is a missing centralized permission check in the nsfs handle-open code path. The kernel already defines a may_see_all_namespaces() helper that encodes the intended policy, but the namespace handle-opening routine did not invoke it. Privileged-but-distinct services therefore bypassed the intended boundary. The patch routes the open path through may_see_all_namespaces() until a broader nstree redesign lands.
Attack Vector
Exploitation requires local access and low privileges, with no user interaction. A process that holds sufficient capabilities to interact with nsfs can open handles to namespaces belonging to other privileged services. Because the scope is Changed in the CVSS vector, the impact extends beyond the attacker's original security boundary. The vulnerability does not require a network path and is not remotely exploitable.
No public proof-of-concept exploit is available. The vulnerability mechanism is described in the upstream commits Linux Kernel Commit 1797ee1 and Linux Kernel Commit d2324a9.
Detection Methods for CVE-2026-43391
Indicators of Compromise
- Unexpected open() or openat() system calls targeting /proc/<pid>/ns/* paths from processes that do not own the target namespace
- Cross-service setns() invocations referencing namespace file descriptors of unrelated privileged services
- Audit records showing privileged daemons enumerating namespace inodes outside their service boundary
Detection Strategies
- Enable Linux audit rules on the openat syscall filtered to paths under /proc/*/ns/ to surface unauthorized handle opens
- Correlate process credentials and namespace ownership at the time of namespace handle access using eBPF tracing
- Compare the running kernel build identifier against vendor advisories to flag hosts missing the may_see_all_namespaces() enforcement
Monitoring Recommendations
- Collect telemetry on setns, unshare, and nsfs access patterns across container hosts and forward to a central analytics platform
- Alert on any process accessing namespace file descriptors associated with a different service account or cgroup boundary
- Track kernel package versions across the fleet and report hosts running pre-patch builds
How to Mitigate CVE-2026-43391
Immediate Actions Required
- Identify all hosts running Linux kernel builds that predate the nsfs permission tightening commits and prioritize them for patching
- Inventory privileged services that interact with nsfs and restrict their capability sets where feasible
- Apply distribution-provided kernel updates as soon as they include the upstream fix
Patch Information
The upstream fix is contained in Linux Kernel Commit 1797ee1 and the backport Linux Kernel Commit d2324a9. The patch routes namespace handle opening through the existing may_see_all_namespaces() helper, centralizing the policy until the namespace tree refactor is complete. Apply the kernel update from your distribution and reboot affected hosts.
Workarounds
- Reduce the capability footprint of services that do not require CAP_SYS_ADMIN or namespace introspection rights
- Enforce mandatory access control profiles such as SELinux or AppArmor to restrict nsfs access by privileged daemons
- Separate sensitive privileged workloads onto dedicated hosts where namespace isolation must be guaranteed
# Verify kernel version and confirm the patch is applied
uname -r
# Compare against your distribution's advisory for CVE-2026-43391
# Example: check audit logs for nsfs handle access
auditctl -w /proc -p r -k nsfs_access
ausearch -k nsfs_access | grep -E 'ns/(mnt|pid|net|user|ipc|uts|cgroup)'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
