Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-52978

CVE-2026-52978: Linux Kernel Privilege Escalation Flaw

CVE-2026-52978 is a privilege escalation vulnerability in the Linux kernel that allows unauthorized modification of device state without proper admin permissions. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-52978 Overview

CVE-2026-52978 is a missing authorization vulnerability in the Linux kernel's PSP (Packet Security Protocol) subsystem. The dev-set and key-rotate netlink operations modify shared device state, including PSP version configuration and cryptographic key material. These operations do not require the CAP_NET_ADMIN capability. The only enforced control is psp_dev_check_access(), which verifies network namespace membership but not administrative privilege.

An unprivileged user inside a permitted network namespace can therefore alter PSP configuration and rotate cryptographic keys. The maintainers resolved the issue by adding an explicit CAP_NET_ADMIN check to both netlink operations.

Critical Impact

Unprivileged local users with access to the network namespace can modify PSP cryptographic state and rotate keys, undermining the integrity of PSP-protected communications.

Affected Products

  • Linux kernel branches containing the PSP netlink interface prior to the fix commits
  • Stable kernel trees referenced by commits aa1a08a4632a, b718342a7fba, and fb88a8c86109
  • Distributions shipping kernels with PSP support enabled

Discovery Timeline

  • 2026-06-24 - CVE-2026-52978 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-52978

Vulnerability Analysis

The Linux kernel exposes the PSP subsystem through a generic netlink family. Two operations in that family, dev-set and key-rotate, mutate device-wide state. dev-set changes the active PSP version configuration on a device. key-rotate rotates the cryptographic key material used to protect PSP sessions.

Both operations are sensitive because they affect every consumer of the device, not just the calling process. Kernel convention requires that netlink commands modifying shared networking state be guarded by CAP_NET_ADMIN. The PSP handlers omitted this check.

The only gate present was psp_dev_check_access(), which compares the caller's network namespace to the device's namespace. Namespace membership is not a privilege boundary. Any process inside an init network namespace, or a user namespace owning a net namespace that contains the PSP device, could issue these commands.

Root Cause

The root cause is missing authorization on privileged netlink operations [CWE-862]. The handlers for dev-set and key-rotate did not assert GENL_ADMIN_PERM or call capable(CAP_NET_ADMIN). Reliance on namespace membership alone allowed unprivileged callers to invoke administrative functions.

Attack Vector

A local attacker with the ability to send generic netlink messages to the PSP family can trigger the vulnerable paths. Inside an unprivileged user namespace that owns a network namespace containing a PSP-capable device, the attacker issues a key-rotate request to force key material regeneration, disrupting active PSP sessions. The same attacker can issue dev-set to downgrade or alter the PSP version configuration, weakening protections for other tenants of the device.

No exploit code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the upstream commits for the precise code paths and fix:

Detection Methods for CVE-2026-52978

Indicators of Compromise

  • Unexpected invocations of PSP generic netlink commands PSP_CMD_DEV_SET or PSP_CMD_KEY_ROTATE by non-root processes.
  • Unscheduled rotations of PSP key material on hosts where rotations are normally driven by orchestration.
  • Sudden disruption of PSP-protected sessions correlating with local user activity.

Detection Strategies

  • Audit execve and netlink socket activity for processes opening AF_NETLINK sockets with the PSP generic netlink family from non-administrative accounts.
  • Enable kernel auditing on the PSP netlink handlers and alert when callers lack CAP_NET_ADMIN.
  • Correlate kernel log entries describing PSP version changes or key rotations with the originating UID and namespace.

Monitoring Recommendations

  • Ingest auditd and kernel logs into a centralized analytics platform and build queries for PSP-related events tied to unprivileged UIDs.
  • Track the kernel package version across the fleet and alert on hosts running unpatched builds with PSP enabled.
  • Monitor user namespace creation by unprivileged users on hosts exposing PSP devices.

How to Mitigate CVE-2026-52978

Immediate Actions Required

  • Update affected Linux kernels to a stable release that includes the fix commits aa1a08a4632a, b718342a7fba, and fb88a8c86109.
  • Inventory hosts that load PSP-capable network drivers and prioritize them for patching.
  • Restrict unprivileged user namespace creation where it is not required, using sysctl kernel.unprivileged_userns_clone=0 on distributions that support it.

Patch Information

The fix adds a CAP_NET_ADMIN requirement to the dev-set and key-rotate PSP netlink operations. Apply the corresponding stable kernel updates from your distribution. Upstream references:

Workarounds

  • Disable or unload PSP-capable drivers on hosts that do not require PSP until patches are applied.
  • Limit local access to hosts exposing PSP devices and disallow shell access for untrusted users.
  • Constrain user namespace creation and netlink access via seccomp or LSM policies on multi-tenant systems.
bash
# Disable unprivileged user namespaces to reduce reachability of the vulnerable handlers
sysctl -w kernel.unprivileged_userns_clone=0

# Verify the running kernel includes the fix commit
strings /boot/vmlinuz-$(uname -r) | grep -i psp || \
  echo "Confirm patch level with your distribution's advisory"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.