CVE-2026-39402
Awaiting Analysis Awaiting Analysis - Queue
Authorization Bypass in LXC User-NIC for OVS Port Deletion

Publication date: 2026-05-05

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description
lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a deletion request, the interface name comparison can set the authorization flag based on a name match alone, even when the ownership, type, and link fields in that database entry belong to a different user. The vulnerable check sits after the goto next label handling, meaning it is reachable on lines where earlier ownership checks failed or were skipped. Because nothing downstream of this authorization signal re-verifies that the matched database line actually belongs to the caller, an unprivileged attacker with a valid lxc-usernet policy entry can trigger deletion of another user's OVS port on the same bridge. This is limited to multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. The impact is denial of service - one tenant can repeatedly disconnect networking from containers run by another tenant on shared infrastructure. This is patched in version 7.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39402
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxcontainers lxc 7.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability results in a denial-of-service (DoS) condition by allowing an unprivileged user to delete network interfaces of other users' containers in multi-tenant environments. It impacts availability but does not affect confidentiality or integrity of data.

Since the vulnerability does not lead to unauthorized access to or disclosure of personal or sensitive data, its direct impact on compliance with data protection regulations such as GDPR or HIPAA is limited.

However, the disruption of network availability could indirectly affect compliance if it impairs the availability of systems that process or store regulated data, as availability is a key principle in many security frameworks.

Executive Summary

This vulnerability exists in the lxc-user-nic setuid helper of the lxc Linux container runtime. It involves a logic flaw in the find_line() function used during the deletion of network interfaces. Specifically, when lxc-user-nic attempts to authorize a deletion request by scanning its NIC database, it may incorrectly authorize deletion based solely on a matching interface name, without properly verifying ownership, type, or link fields.

Because the authorization check occurs after a goto next label that skips earlier ownership checks, an unprivileged user with a valid lxc-usernet policy can delete OpenVSwitch (OVS)-attached network interfaces belonging to other users. This flaw allows one tenant in a multi-tenant environment to delete another tenant's OVS ports on the same bridge.

Impact Analysis

The primary impact of this vulnerability is denial of service in multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. An attacker tenant can repeatedly disconnect networking from containers run by other tenants on shared infrastructure by deleting their OVS-attached network interfaces.

Mitigation Strategies

The vulnerability is patched in lxc version 7.0.0. Immediate mitigation involves upgrading lxc to version 7.0.0 or later.

Since the issue affects multi-tenant environments using lxc-user-nic with OpenVSwitch bridges, restricting or reviewing the use of lxc-user-nic and its permissions in such environments can help reduce risk until the patch is applied.

Detection Guidance

Detection of this vulnerability involves identifying if the system is running a vulnerable version of lxc-user-nic prior to version 7.0.0 and if OpenVSwitch (OVS) bridges are used in a multi-tenant environment.

Since the vulnerability allows an unprivileged user to delete OVS-attached network interfaces belonging to other users, monitoring for unexpected deletions or changes in OVS ports can help detect exploitation attempts.

Suggested commands to help detect or investigate potential exploitation include:

  • Check the installed lxc version: `lxc-user-nic --version` or `dpkg -l | grep lxc`
  • List OpenVSwitch ports and their owners to identify unexpected changes: `ovs-vsctl list interface` and `ovs-vsctl show`
  • Monitor system logs for lxc-user-nic delete commands or errors related to network interface deletions: `journalctl -u lxc-user-nic` or `grep lxc-user-nic /var/log/syslog`
  • Audit user commands or use process accounting to detect unauthorized usage of lxc-user-nic delete.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39402. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart