CVE-2026-53075
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ppp: require CAP_NET_ADMIN in target netns for unattached ioctls /dev/ppp open is currently authorized against file->f_cred->user_ns, while unattached administrative ioctls operate on current->nsproxy->net_ns. As a result, a local unprivileged user can create a new user namespace with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace, and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against an inherited network namespace. Require CAP_NET_ADMIN in the user namespace that owns the target network namespace before handling unattached PPP administrative ioctls. This preserves normal pppd operation in the network namespace it is actually privileged in, while rejecting the userns-only inherited-netns case.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53075
EUVD
EUVD-2026-38943
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's PPP (Point-to-Point Protocol) implementation. It involves improper authorization checks for certain administrative ioctls (input/output control operations) on /dev/ppp. Specifically, the system authorizes opening /dev/ppp based on the user namespace of the file credentials, but the administrative ioctls operate on the current network namespace. This mismatch allows a local unprivileged user to create a new user namespace, gain CAP_NET_ADMIN capability only within that new namespace, and then issue privileged PPP ioctls against an inherited network namespace without proper authorization.

The fix requires that the CAP_NET_ADMIN capability be present in the user namespace that owns the target network namespace before allowing these administrative ioctls. This ensures that only properly privileged users in the correct network namespace can perform these operations.

Impact Analysis

This vulnerability can allow a local unprivileged user to perform administrative operations on PPP devices in network namespaces where they should not have such privileges. By exploiting this, an attacker could potentially manipulate network interfaces or configurations within network namespaces they do not fully control, leading to unauthorized network access or disruption.

Mitigation Strategies

The vulnerability has been resolved by requiring CAP_NET_ADMIN in the user namespace that owns the target network namespace before handling unattached PPP administrative ioctls.

To mitigate this vulnerability, ensure your Linux kernel is updated to a version that includes this fix.

This update prevents local unprivileged users from exploiting the issue by creating new user namespaces with CAP_NET_ADMIN privileges and issuing unauthorized PPP ioctls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53075. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart