Description
lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a deletion request, the interface name comparison can set the authorization flag based on a name match alone, even when the ownership, type, and link fields in that database entry belong to a different user. The vulnerable check sits after the goto next label handling, meaning it is reachable on lines where earlier ownership checks failed or were skipped. Because nothing downstream of this authorization signal re-verifies that the matched database line actually belongs to the caller, an unprivileged attacker with a valid lxc-usernet policy entry can trigger deletion of another user's OVS port on the same bridge.

This is limited to multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. The impact is denial of service - one tenant can repeatedly disconnect networking from containers run by another tenant on shared infrastructure. This is patched in version 7.0.0.
Published: 2026-05-05
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unprivileged user can delete a network interface that belongs to another tenant by exploiting an authorization logic flaw in lxc’s lxc-user-nic delete handling. The vulnerable find_line() function can set the deletion flag based on a name match alone, ignoring the ownership, type, and link fields. This constitutes an improper authorization (CWE‑863) that can cause a denial of service by severing networking for a tenant’s containers.

Affected Systems

The flaw exists in lxc before version 7.0.0. Any installation of lxc using the lxc-user-nic helper in a multi‑tenant environment that relies on OpenVSwitch bridges is vulnerable. The mitigation is to upgrade to version 7.0.0 or later; earlier versions lack the fix.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, there is no public evidence of exploitation. Nonetheless, the attack requires an unprivileged user who has been granted a valid lxc‑usernet policy entry and the environment must use OpenVSwitch bridges. Under these conditions a malicious tenant can repeatedly disconnect the networking of another tenant’s containers.

Generated by OpenCVE AI on May 5, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update lxc to version 7.0.0 or later to apply the authority–verification fix
  • Restrict the use of lxc‑usernet so that users only have permissions for their own bridges or disable the lxc‑user‑nic helper for untrusted tenants
  • Apply system‑level controls such as SELinux or AppArmor profiles to prevent raw OVS port deletion by unprivileged processes

Generated by OpenCVE AI on May 5, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc lxc
Vendors & Products Lxc
Lxc lxc

Tue, 05 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a deletion request, the interface name comparison can set the authorization flag based on a name match alone, even when the ownership, type, and link fields in that database entry belong to a different user. The vulnerable check sits after the goto next label handling, meaning it is reachable on lines where earlier ownership checks failed or were skipped. Because nothing downstream of this authorization signal re-verifies that the matched database line actually belongs to the caller, an unprivileged attacker with a valid lxc-usernet policy entry can trigger deletion of another user's OVS port on the same bridge. This is limited to multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. The impact is denial of service - one tenant can repeatedly disconnect networking from containers run by another tenant on shared infrastructure. This is patched in version 7.0.0.
Title lxc lxc-user-nic insufficient ownership validation allows cross-tenant OVS port deletion
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 4.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T20:45:24.107Z

Reserved: 2026-04-06T22:06:40.517Z

Link: CVE-2026-39402

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T21:16:22.537

Modified: 2026-05-05T21:16:22.537

Link: CVE-2026-39402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:21:29Z

Weaknesses