CVE Catalog

CVE-2026-53075

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

In the Linux kernel, a vulnerability in the PPP driver allows a local unprivileged user to perform administrative ioctls (such as PPPIOCNEWUNIT, PPPIOCATTACH, PPPIOCATTCHAN) in an inherited network namespace while only having CAP_NET_ADMIN in a newly created user namespace. The fix requires CAP_NET_ADMIN in the user namespace that owns the target network namespace.

Risk Assessment

The organization faces a privilege escalation risk where a local user can manipulate PPP interfaces in a network namespace they should not have access to, potentially compromising network traffic integrity and confidentiality.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit 0f8e3b9e5a1c) or later to prevent unauthorized PPP operations in inherited network namespaces.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: ppp: require CAP_NET_ADMIN in target netns for unattached ioctls /dev/ppp open is currently authorized against file->f_cred->user_ns, while unattached administrative ioctls operate on current->nsproxy->net_ns. As a result, a local unprivileged user can create a new user namespace with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace, and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against an inherited network namespace. Require CAP_NET_ADMIN in the user namespace that owns the target network namespace before handling unattached PPP administrative ioctls. This preserves normal pppd operation in the network namespace it is actually privileged in, while rejecting the userns-only inherited-netns case.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS