HIGH
nsfs FileHandle Leak
CVE-2026-43391
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
KernelScan AI3.2LOW
01Description
In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for handle opening Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts.
02KernelScan AI Analysis
Risk summary
Privileged services can access other privileged services' namespace file handles, potentially leaking sensitive namespace information. This breaks isolation between services that should be compartmentalized from each other.
Vulnerability analysis
The vulnerability exists in nsfs_fh_to_dentry() where namespace file handle decoding used ns_capable(owning_ns, CAP_SYS_ADMIN) instead of the more restrictive may_see_all_namespaces() check. This allowed any process with CAP_SYS_ADMIN in a target namespace to decode file handles for that namespace, breaking the intended isolation between privileged services. The fix replaces the capability check with a centralized policy function that enforces stricter namespace visibility rules.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.19 | 6.19.9 | 1797ee11451f |
| mainline | 7.0 | d2324a9317f0 |