CVE-2026-53075 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

ppp: require CAP_NET_ADMIN in target netns for unattached ioctls

/dev/ppp open is currently authorized against file->f_cred->user_ns,
while unattached administrative ioctls operate on current->nsproxy->net_ns.

As a result, a local unprivileged user can create a new user namespace
with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace,
and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against
an inherited network namespace.

Require CAP_NET_ADMIN in the user namespace that owns the target network
namespace before handling unattached PPP administrative ioctls.

This preserves normal pppd operation in the network namespace it is
actually privileged in, while rejecting the userns-only inherited-netns
case.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An unprivileged user can create a new user namespace and obtain CAP_NET_ADMIN only within that namespace. This capability is then incorrectly applied to PPP administration ioctls (PPPIOCNEWUNIT, PPPIOCATTACH, PPPIOCATTCHAN) that target an inherited network namespace. The missing check allows the user to perform privileged PPP operations on a network namespace they are not actually privileged in, effectively granting local privilege escalation. The weakness is an authorization flaw that permits unauthorized access to administrative functionality.

Affected Systems

All Linux kernel implementations that shipped before the fix commit in the kernel. The affected code path resides in the PPP driver for /dev/ppp, which is part of the generic kernel source tree. No specific version list is provided, so any kernel prior to the commit that introduced CAP_NET_ADMIN enforcement is vulnerable.

Risk and Exploitability

The vulnerability is exploitable on any system where the user can use CLONE_NEWUSER to create a user namespace. Because it requires only local access and does not need network connectivity, the attacker must be able to run code on the target machine. The EPSS score is not available, but the lack of restriction on user namespace creation gives this flaw significant potential for exploitation. The vulnerability is not yet listed in the CISA KEV catalog, suggesting no widely known active exploitation at the time of this analysis.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`273ec51dd7ceaa76e038875d85061ec856d8905e`	affected	< c9edd90c57ae23692fff6b049fdfa4572a9fd532
`273ec51dd7ceaa76e038875d85061ec856d8905e`	affected	< 5080e188c914110034bbc569d5cfa2f06204681d
`273ec51dd7ceaa76e038875d85061ec856d8905e`	affected	< 67e901e28d177ac9a9bed76d69ce3471e704a89e
`273ec51dd7ceaa76e038875d85061ec856d8905e`	affected	< 954745d0223e7caec917c0b2d1a889ff56fa6e54
`273ec51dd7ceaa76e038875d85061ec856d8905e`	affected	< 3b2c2157dc2afc5c17cd7238afefca92f1ef330e
`273ec51dd7ceaa76e038875d85061ec856d8905e`	affected	< 5013be175c7ffd8b39efbc3c9c4db5b10b85fea8
`273ec51dd7ceaa76e038875d85061ec856d8905e`	affected	< 1a8a51ce85075a56a743b6f142606dd2696a391c
`273ec51dd7ceaa76e038875d85061ec856d8905e`	affected	< 2bb6379416fd19f44c3423a00bfd8626259f6067

Linux

affected

Version	Status	Constraints
`2.6.30`	affected	—
`0`	unaffected	< 2.6.30
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the patch that requires CAP_NET_ADMIN in the target network namespace for unattached PPP ioctls; refer to the commit logs linked in the provided references.
If a kernel upgrade cannot be performed immediately, disable unprivileged users' ability to create user namespaces by setting kernel.unprivileged_userns_clone=0 in /etc/sysctl.conf and reloading sysctl, which prevents the creation of new user namespaces and thwarts this attack vector.
Ensure that any existing PPP services or applications enforce the presence of CAP_NET_ADMIN in the target network namespace, for example by reconfiguring pppd to run with appropriate privileges and by auditing running processes for unexpected capability modifications.

Generated by OpenCVE AI on June 24, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1a8a51ce85075a56a743b6f142606dd2696a391c
https://git.kernel.org/stable/c/2bb6379416fd19f44c3423a00bfd8626259f6067
https://git.kernel.org/stable/c/3b2c2157dc2afc5c17cd7238afefca92f1ef330e
https://git.kernel.org/stable/c/5013be175c7ffd8b39efbc3c9c4db5b10b85fea8
https://git.kernel.org/stable/c/5080e188c914110034bbc569d5cfa2f06204681d
https://git.kernel.org/stable/c/67e901e28d177ac9a9bed76d69ce3471e704a89e
https://git.kernel.org/stable/c/954745d0223e7caec917c0b2d1a889ff56fa6e54
https://git.kernel.org/stable/c/c9edd90c57ae23692fff6b049fdfa4572a9fd532

History

Wed, 24 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ppp: require CAP_NET_ADMIN in target netns for unattached ioctls /dev/ppp open is currently authorized against file->f_cred->user_ns, while unattached administrative ioctls operate on current->nsproxy->net_ns. As a result, a local unprivileged user can create a new user namespace with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace, and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against an inherited network namespace. Require CAP_NET_ADMIN in the user namespace that owns the target network namespace before handling unattached PPP administrative ioctls. This preserves normal pppd operation in the network namespace it is actually privileged in, while rejecting the userns-only inherited-netns case.
Title		ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1a8a51ce85075a56a743b6f142606dd2696a391c https://git.kernel.org/stable/c/2bb6379416fd19f44c3423a00bfd8626259f6067 https://git.kernel.org/stable/c/3b2c2157dc2afc5c17cd7238afefca92f1ef330e https://git.kernel.org/stable/c/5013be175c7ffd8b39efbc3c9c4db5b10b85fea8 https://git.kernel.org/stable/c/5080e188c914110034bbc569d5cfa2f06204681d https://git.kernel.org/stable/c/67e901e28d177ac9a9bed76d69ce3471e704a89e https://git.kernel.org/stable/c/954745d0223e7caec917c0b2d1a889ff56fa6e54 https://git.kernel.org/stable/c/c9edd90c57ae23692fff6b049fdfa4572a9fd532

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:16.214Z

Updated: 2026-06-24T16:30:16.214Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53075

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:30:08Z

Weaknesses

CWE-284
Improper Access Control

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object