PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43391 Linux CVE debrief

A privilege escalation vulnerability in the Linux kernel's nsfs (namespace filesystem) subsystem allows local attackers to bypass namespace isolation boundaries. The flaw exists in the permission checks for handle opening operations on namespace files, where insufficient validation could permit privileged services to access other privileged services' namespaces, enabling information leakage between isolated contexts. The vulnerability affects Linux kernel versions 6.18 through 6.19.8, and 7.0 release candidates rc1 and rc2. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates a local attack vector with low complexity, low privileges required, no user interaction, changed scope, and high impacts to confidentiality, integrity, and availability. The fix implements the may_see_all_namespaces() helper to centralize and tighten permission policy enforcement until the nstree subsystem can be adapted. Organizations running containerized workloads or multi-tenant systems with namespace isolation should prioritize patching, as this vulnerability undermines a core security boundary for privilege separation.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-26
Advisory published
2026-05-08
Advisory updated
2026-05-26

Who should care

Linux system administrators, container platform operators, cloud infrastructure teams, and security engineers responsible for multi-tenant environments where namespace isolation provides security boundaries. Organizations running Kubernetes, Docker, or other container orchestration platforms on affected kernel versions face elevated risk of cross-tenant information disclosure or privilege escalation if attackers can execute code with local access and limited privileges.

Technical summary

The Linux kernel's nsfs filesystem, which provides access to process namespaces through /proc/[pid]/ns/ entries, contained insufficient permission checks when opening namespace handles. The vulnerability allowed processes with certain privileges to open handles to namespaces belonging to other privileged services, violating isolation expectations. The resolution introduces the may_see_all_namespaces() helper function to enforce centralized policy decisions about namespace visibility, serving as an interim hardening measure until the nstree subsystem can be properly adapted. This is a local privilege escalation with changed scope (S:C), meaning the vulnerable component impacts resources beyond its security scope.

Defensive priority

HIGH

Recommended defensive actions

  • Apply kernel patches from stable kernel.org repositories to affected systems running Linux kernel versions 6.18 through 6.19.8 or 7.0-rc1/rc2
  • Prioritize patching on multi-tenant container hosts and systems relying on namespace isolation for security boundaries
  • Verify namespace isolation policies remain effective after patching by auditing access controls for privileged services
  • Monitor for anomalous namespace access attempts in system audit logs, particularly from container runtimes and privileged daemons
  • Plan kernel restart cycles to ensure patched kernels are active, as this is a kernel-level fix requiring reboot
  • Review container security configurations to ensure defense-in-depth measures are in place beyond namespace isolation alone

Evidence notes

Vulnerability description and patch references sourced from NVD record. CPE criteria confirm affected kernel versions. CVSS vector and score from official NVD analysis. Patch commits identified in kernel.org stable repository.

Official resources

2026-05-08