HIGH
nsfs Iteration Leak
CVE-2026-43403
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
KernelScan AI2.3LOW
01Description
In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for ns iteration ioctls Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts.
02KernelScan AI Analysis
Risk summary
Privileged services with CAP_SYS_ADMIN can inappropriately access and enumerate other privileged services' mount namespaces, potentially leaking sensitive information about container or service isolation boundaries. This affects multi-tenant environments where privileged services should remain isolated from each other.
Vulnerability analysis
The vulnerability stems from insufficient permission checks in the nsfs namespace iteration ioctls (NS_MNT_GET_NEXT, NS_MNT_GET_PREV). While these ioctls required privilege, they didn't prevent privileged services from accessing each other's namespaces. The fix adds may_see_all_namespaces() which requires both being in the initial PID namespace and having CAP_SYS_ADMIN in the initial user namespace, properly restricting access to only the most privileged context (typically init/systemd) rather than any privileged service.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.78 | 3376b345df15 |
| 6.18 | 6.18.20 | 2f3dea284c76 |
| 6.19 | 6.19.9 | 0ad650e60150 |
| mainline | 7.0 | e6b899f08066 |