Description
In the Linux kernel, the following vulnerability has been resolved:

unshare: fix unshare_fs() handling

There's an unpleasant corner case in unshare(2), when we have a
CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that
case copy_mnt_ns() gets passed current->fs instead of a private copy,
which causes interesting warts in proof of correctness]

> I guess if private means fs->users == 1, the condition could still be true.

Unfortunately, it's worse than just a convoluted proof of correctness.
Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS
(and current->fs->users == 1).

We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and
flips current->fs->{pwd,root} to corresponding locations in the new namespace.
Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).
We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's
destroyed and its mount tree is dissolved, but... current->fs->root and
current->fs->pwd are both left pointing to now detached mounts.

They are pinning those, so it's not a UAF, but it leaves the calling
process with unshare(2) failing with -ENOMEM _and_ leaving it with
pwd and root on detached isolated mounts. The last part is clearly a bug.

There is other fun related to that mess (races with pivot_root(), including
the one between pivot_root() and fork(), of all things), but this one
is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new
fs_struct even if it hadn't been shared in the first place". Sure, we could
go for something like "if both CLONE_NEWNS *and* one of the things that might
end up failing after copy_mnt_ns() call in create_new_namespaces() are set,
force allocation of new fs_struct", but let's keep it simple - the cost
of copy_fs_struct() is trivial.

Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets
a freshly allocated fs_struct, yet to be attached to anything. That
seriously simplifies the analysis...

FWIW, that bug had been there since the introduction of unshare(2) ;-/
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel flaw involves the unshare(2) system call when a process requests a new mount namespace using CLONE_NEWNS while its current filesystem structure has not yet been isolated. The kernel erroneously passes the existing fs_struct to copy_mnt_ns, which may later move the process’s root and current working directory into the new namespace. If a subsequent namespace operation such as copy_cgroup_ns fails, the created mount namespace is destroyed while the process’s root and cwd still point to detached mounts, leaving the process with an invalid filesystem view. This can lead to application crashes or incorrect filesystem operations, representing a local denial‑of‑service condition. The vulnerability does not provide a path to privilege escalation or remote code execution. The likely attack vector is a local user executing unshare(2) with CLONE_NEWNS (optionally combined with other namespace flags) on an unpatched kernel.

Affected Systems

All Linux kernel releases prior to the commit that introduced the fix (42e21e74061b0ebbd859839f81acf10efad02a27) are impacted. The affected range includes kernel 2.6.16 and its release candidates, as well as later stable releases through the 7.0 development snapshots listed in the CPE data. Any distribution shipping an unpatched kernel within this scope is vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalogue, implying a low exploitation probability under current conditions. A local attacker can trigger the issue by invoking unshare(2) with CLONE_NEWNS (and possibly other namespace flags), causing the process to fail with an error while its root and cwd become invalid. The result is a local denial‑of‑service scenario that does not expose higher privileges or remote access.

Generated by OpenCVE AI on May 21, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit fixing unshare_fs() handling (42e21e74061b0ebbd859839f81acf10efad02a27).
  • If upgrading is not immediately feasible, avoid calling unshare(2) with CLONE_NEWNS together with CLONE_NEWCGROUP until a patched kernel is available or an alternative approach is used.
  • If a process has already invoked unshare(2) and encountered an error, terminate and restart it to restore a consistent root and working directory state.

Generated by OpenCVE AI on May 21, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Thu, 21 May 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*

Thu, 21 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
CPEs cpe:2.3:o:linux:linux_kernel:2.6.16:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.16:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.16:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.16:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.16:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.16:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 09 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: unshare: fix unshare_fs() handling There's an unpleasant corner case in unshare(2), when we have a CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that case copy_mnt_ns() gets passed current->fs instead of a private copy, which causes interesting warts in proof of correctness] > I guess if private means fs->users == 1, the condition could still be true. Unfortunately, it's worse than just a convoluted proof of correctness. Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS (and current->fs->users == 1). We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and flips current->fs->{pwd,root} to corresponding locations in the new namespace. Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM). We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's destroyed and its mount tree is dissolved, but... current->fs->root and current->fs->pwd are both left pointing to now detached mounts. They are pinning those, so it's not a UAF, but it leaves the calling process with unshare(2) failing with -ENOMEM _and_ leaving it with pwd and root on detached isolated mounts. The last part is clearly a bug. There is other fun related to that mess (races with pivot_root(), including the one between pivot_root() and fork(), of all things), but this one is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new fs_struct even if it hadn't been shared in the first place". Sure, we could go for something like "if both CLONE_NEWNS *and* one of the things that might end up failing after copy_mnt_ns() call in create_new_namespaces() are set, force allocation of new fs_struct", but let's keep it simple - the cost of copy_fs_struct() is trivial. Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets a freshly allocated fs_struct, yet to be attached to anything. That seriously simplifies the analysis... FWIW, that bug had been there since the introduction of unshare(2) ;-/
Title unshare: fix unshare_fs() handling
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:25:16.258Z

Reserved: 2026-05-01T14:12:56.011Z

Link: CVE-2026-43472

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:17:00.313

Modified: 2026-05-21T14:59:05.957

Link: CVE-2026-43472

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43472 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T16:15:14Z

Weaknesses