A flaw in the linux-pam pam_namespace module allows local users to use untrusted file paths without proper sanitization, enabling privilege escalation to root through a combination of symlink attacks and race conditions. The vulnerability directly compromises the integrity and confidentiality of the system by granting full administrative privileges to a non-privileged user, potentially exposing all data and allowing full system takeover. This weakness is a classic directory traversal attack (CWE-22) that bypasses prerequisite checks on file paths used by authentication.

Affected systems include a wide range of Red Hat products such as the Compliance Operator 1, RHEL‑8 based Middleware Containers, RHOSS‑1.36‑RHEL‑8, Red Hat Discovery 2, and multiple Red Hat Enterprise Linux releases (RHEL 7 Extended Lifecycle Support, RHEL 8 across baseos and appstream variants, RHEL 8.6 Advanced Mission Critical Update Service, RHEL 8.8 Update Services for SAP Solutions, RHEL 9 with standard, Extended Update Support, and RHEL 10 10.1). Red Hat OpenShift components including distributed tracing 3.6.0 and sandboxed containers 1.1, as well as the cert‑manager operator 1.16 and web terminal 1.11/1.12 on RHEL 9, are also impacted.

The CVSS score of 7.8 indicates a moderate to high severity, while the EPSS score of < 1 % signals a low likelihood of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog, suggesting it is not a known high‑profile exploit. Attackers must have local system access and may exploit the flaw by crafting malicious symlinks or timing race conditions against pam_namespace, after which they can elevate to root, potentially compromising system integrity.