CVE-2026-43403 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators of systems running affected kernel releases should care most, especially environments that rely on namespaces, containers, or other multi-tenant service isolation. Because the issue is local and requires privileges, it is most relevant to hosts where multiple privileged workloads share a kernel.

Technical summary

According to the supplied Linux kernel description, the flaw is in nsfs namespace iteration ioctls. The fix centralizes access policy through may_see_all_namespaces(), tightening permission checks so a privileged service cannot automatically enumerate or inspect namespaces owned by another privileged service. NVD lists affected kernel ranges as 6.12 through 6.12.78, 6.13 through 6.18.20, 6.19 through 6.19.9, plus 7.0-rc1 and 7.0-rc2. The NVD CVSS vector is AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating local exploitation with elevated privileges and potential cross-boundary impact.

Defensive priority

High. This is a kernel-level access-control issue with a high CVSS score and official patch references. Prioritize patching or backporting on systems that run affected kernel branches, especially hosts with containers, namespaces, or multiple privileged services.

Recommended defensive actions

• Inventory Linux kernel versions and compare them with the affected ranges listed by NVD: 6.12-6.12.78, 6.13-6.18.20, 6.19-6.19.9, 7.0-rc1, and 7.0-rc2.
• Apply the vendor or stable-kernel patches referenced by NVD as soon as practical, or install a distribution update that backports the fix.
• Prioritize patching systems that host multiple tenants, containers, or privileged services sharing the same kernel.
• Validate that your patched kernel includes the nsfs permission-check change using may_see_all_namespaces() or an equivalent vendor backport.
• Track distro advisories and confirm no local policy exceptions or custom kernel changes reintroduce namespace enumeration exposure.

Evidence notes

The CVE description states that nsfs permission checks for namespace iteration ioctls were tightened to prevent privileged services from seeing other privileged services’ namespaces and leaking information. NVD marks the record analyzed, assigns CVSS 8.8 HIGH with vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, and lists four official kernel patch references. The supplied corpus does not include a CWE beyond NVD-CWE-noinfo, so root-cause categorization is limited to the description and NVD metadata.

Official resources