Description
In the Linux kernel, the following vulnerability has been resolved:

unshare: fix unshare_fs() handling

There's an unpleasant corner case in unshare(2), when we have a
CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that
case copy_mnt_ns() gets passed current->fs instead of a private copy,
which causes interesting warts in proof of correctness]

> I guess if private means fs->users == 1, the condition could still be true.

Unfortunately, it's worse than just a convoluted proof of correctness.
Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS
(and current->fs->users == 1).

We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and
flips current->fs->{pwd,root} to corresponding locations in the new namespace.
Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).
We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's
destroyed and its mount tree is dissolved, but... current->fs->root and
current->fs->pwd are both left pointing to now detached mounts.

They are pinning those, so it's not a UAF, but it leaves the calling
process with unshare(2) failing with -ENOMEM _and_ leaving it with
pwd and root on detached isolated mounts. The last part is clearly a bug.

There is other fun related to that mess (races with pivot_root(), including
the one between pivot_root() and fork(), of all things), but this one
is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new
fs_struct even if it hadn't been shared in the first place". Sure, we could
go for something like "if both CLONE_NEWNS *and* one of the things that might
end up failing after copy_mnt_ns() call in create_new_namespaces() are set,
force allocation of new fs_struct", but let's keep it simple - the cost
of copy_fs_struct() is trivial.

Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets
a freshly allocated fs_struct, yet to be attached to anything. That
seriously simplifies the analysis...

FWIW, that bug had been there since the introduction of unshare(2) ;-/
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the Linux kernel’s handling of the unshare(2) system call. When a process requests a new mount namespace through CLONE_NEWNS while its current filesystem structure (fs_struct) has not yet been isolated, the kernel duplicates this structure but later damages the calling process’s filesystem pointers if a subsequent namespace creation such as copy_cgroup_ns() fails. As the root and current working directory of the process are left pointing to mounts that have been torn down, the process can encounter crashes, undefined behavior, or other filesystem inconsistencies. This effectively creates a local denial‑of‑service condition where a helper process cannot recover except by restarting or remounting the affected mounts.

Affected Systems

All releases of the Linux kernel that predate the commit identified by the hash 42e21e74061b0ebbd859839f81acf10efad02a27 are affected. Systems running a kernel that contains this commit or newer versions are no longer vulnerable. The issue applies universally to the Linux kernel across distributions, as the vulnerability is tied to the core kernel source.

Risk and Exploitability

The CVSS score of 7.0 indicates moderate severity. The EPSS score is below 1%, suggesting a low exploitation probability. It is not listed in the CISA KEV catalogue, further indicating that exploitation risk is currently low. The likely attack vector requires a process to invoke unshare(2) with CLONE_NEWNS (and optionally other namespace flags such as CLONE_NEWCGROUP) and have the subsequent namespace creation fail. Because creating a new cgroup namespace typically demands elevated privileges, the vulnerability is most likely exploitable by a local user with sufficient kernel capabilities. The end result is a service interruption for the affected process rather than privilege escalation or remote compromise.

Generated by OpenCVE AI on May 9, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the commit fixing unshare_fs() handling (42e21e74061b0ebbd859839f81acf10efad02a27).
  • If a kernel upgrade cannot be applied immediately, avoid calling unshare(2) with CLONE_NEWNS together with CLONE_NEWCGROUP until a patched kernel is available or until a validated alternative is in place.
  • For processes that have invoked unshare(2) and received an error, terminate and restart them to reset their root and working directories. After a failure, run "/usr/bin/mount -l" to inspect the current mount table and remount or recreate any detached mounts before continuing operation.

Generated by OpenCVE AI on May 9, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: unshare: fix unshare_fs() handling There's an unpleasant corner case in unshare(2), when we have a CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that case copy_mnt_ns() gets passed current->fs instead of a private copy, which causes interesting warts in proof of correctness] > I guess if private means fs->users == 1, the condition could still be true. Unfortunately, it's worse than just a convoluted proof of correctness. Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS (and current->fs->users == 1). We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and flips current->fs->{pwd,root} to corresponding locations in the new namespace. Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM). We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's destroyed and its mount tree is dissolved, but... current->fs->root and current->fs->pwd are both left pointing to now detached mounts. They are pinning those, so it's not a UAF, but it leaves the calling process with unshare(2) failing with -ENOMEM _and_ leaving it with pwd and root on detached isolated mounts. The last part is clearly a bug. There is other fun related to that mess (races with pivot_root(), including the one between pivot_root() and fork(), of all things), but this one is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new fs_struct even if it hadn't been shared in the first place". Sure, we could go for something like "if both CLONE_NEWNS *and* one of the things that might end up failing after copy_mnt_ns() call in create_new_namespaces() are set, force allocation of new fs_struct", but let's keep it simple - the cost of copy_fs_struct() is trivial. Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets a freshly allocated fs_struct, yet to be attached to anything. That seriously simplifies the analysis... FWIW, that bug had been there since the introduction of unshare(2) ;-/
Title unshare: fix unshare_fs() handling
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-09T04:11:04.022Z

Reserved: 2026-05-01T14:12:56.011Z

Link: CVE-2026-43472

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:17:00.313

Modified: 2026-05-08T15:17:00.313

Link: CVE-2026-43472

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43472 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T16:00:13Z

Weaknesses