CVE-2026-39402
Awaiting Analysis Awaiting Analysis - Queue

Authorization Bypass in LXC User-NIC for OVS Port Deletion

Vulnerability report for CVE-2026-39402, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-05

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description

lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a deletion request, the interface name comparison can set the authorization flag based on a name match alone, even when the ownership, type, and link fields in that database entry belong to a different user. The vulnerable check sits after the goto next label handling, meaning it is reachable on lines where earlier ownership checks failed or were skipped. Because nothing downstream of this authorization signal re-verifies that the matched database line actually belongs to the caller, an unprivileged attacker with a valid lxc-usernet policy entry can trigger deletion of another user's OVS port on the same bridge. This is limited to multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. The impact is denial of service - one tenant can repeatedly disconnect networking from containers run by another tenant on shared infrastructure. This is patched in version 7.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-05
Last Modified
2026-05-06
Generated
2026-07-06
AI Q&A
2026-05-06
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linuxcontainers lxc 7.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the lxc-user-nic setuid helper of the lxc Linux container runtime. It involves a logic flaw in the find_line() function used during the deletion of network interfaces. Specifically, when lxc-user-nic attempts to authorize a deletion request by scanning its NIC database, it may incorrectly authorize deletion based solely on a matching interface name, without properly verifying ownership, type, or link fields.

Because the authorization check occurs after a goto next label that skips earlier ownership checks, an unprivileged user with a valid lxc-usernet policy can delete OpenVSwitch (OVS)-attached network interfaces belonging to other users. This flaw allows one tenant in a multi-tenant environment to delete another tenant's OVS ports on the same bridge.

Impact Analysis

The primary impact of this vulnerability is denial of service in multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. An attacker tenant can repeatedly disconnect networking from containers run by other tenants on shared infrastructure by deleting their OVS-attached network interfaces.

Mitigation Strategies

The vulnerability is patched in lxc version 7.0.0. Immediate mitigation involves upgrading lxc to version 7.0.0 or later.

Since the issue affects multi-tenant environments using lxc-user-nic with OpenVSwitch bridges, restricting or reviewing the use of lxc-user-nic and its permissions in such environments can help reduce risk until the patch is applied.

Compliance Impact

This vulnerability results in a denial-of-service (DoS) condition by allowing an unprivileged user to delete network interfaces of other users' containers in multi-tenant environments. It impacts availability but does not affect confidentiality or integrity of data.

Since the vulnerability does not lead to unauthorized access to or disclosure of personal or sensitive data, its direct impact on compliance with data protection regulations such as GDPR or HIPAA is limited.

However, the disruption of network availability could indirectly affect compliance if it impairs the availability of systems that process or store regulated data, as availability is a key principle in many security frameworks.

Detection Guidance

Detection of this vulnerability involves identifying if the system is running a vulnerable version of lxc-user-nic prior to version 7.0.0 and if OpenVSwitch (OVS) bridges are used in a multi-tenant environment.

Since the vulnerability allows an unprivileged user to delete OVS-attached network interfaces belonging to other users, monitoring for unexpected deletions or changes in OVS ports can help detect exploitation attempts.

Suggested commands to help detect or investigate potential exploitation include:

  • Check the installed lxc version: `lxc-user-nic --version` or `dpkg -l | grep lxc`
  • List OpenVSwitch ports and their owners to identify unexpected changes: `ovs-vsctl list interface` and `ovs-vsctl show`
  • Monitor system logs for lxc-user-nic delete commands or errors related to network interface deletions: `journalctl -u lxc-user-nic` or `grep lxc-user-nic /var/log/syslog`
  • Audit user commands or use process accounting to detect unauthorized usage of lxc-user-nic delete.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39402. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart