CVE-2026-43472 Linux CVE debrief

Who should care

Linux distribution maintainers, kernel operators, and anyone running kernels in the affected NVD ranges should care, especially if workloads use unshare(2), mount namespaces, cgroup namespaces, or related container/runtime features. Security teams should also care because failures can leave processes in an unexpected filesystem state even when unshare(2) returns an error.

Technical summary

NVD describes the flaw as an unshare(2) corner case involving CLONE_NEWNS and current->fs handling. If CLONE_NEWNS was requested while the current fs_struct had not been shared, copy_mnt_ns() could be invoked with current->fs instead of a fresh copy. In a failure path after mount-namespace creation, such as when copy_cgroup_ns() returns an error, the newly created mount namespace is torn down but current->fs->root and current->fs->pwd may remain bound to now-detached mounts. The supplied kernel fix description says the remedy is to always allocate a new fs_struct when CLONE_NEWNS is present, even if the current one was not previously shared.

Defensive priority

Medium. This is a local bug with availability impact and incorrect process state persistence, not a known remote compromise vector in the supplied corpus. Prioritize patching affected kernel branches because the issue spans many release lines and the supplied kernel note says the cost of copy_fs_struct() is trivial relative to the safety gained.

Recommended defensive actions

• Apply the relevant Linux kernel stable patches referenced by NVD for the affected release branches.
• Upgrade to a kernel version outside the affected ranges listed by NVD for your branch.
• Review container, sandbox, and namespace-heavy workloads that call unshare(2), especially those using CLONE_NEWNS and CLONE_NEWCGROUP.
• Validate that your distribution backport includes the fs_struct allocation change for CLONE_NEWNS.
• Treat unexpected detached root/pwd behavior after failed namespace setup as a kernel bug indicator and investigate affected hosts.

Evidence notes

Evidence is limited to the supplied NVD record and its referenced kernel stable patch links. NVD marks the vulnerability as analyzed, assigns CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, and maps it to CWE-908. The NVD CPE criteria list multiple affected Linux kernel branches and end-of-fix cutoffs, including 2.6.16.1 before 5.10.253, 5.11 before 5.15.203, 5.16 before 6.1.167, 6.2 before 6.6.130, 6.7 before 6.12.78, 6.13 before 6.18.19, and 6.19 before 6.19.9. The kernel description in the source item explains that the bug has existed since unshare(2) was introduced and that the chosen fix is to allocate a new fs_struct whenever CLONE_NEWNS is set.

Official resources