HOMEVULNERABILITIESCVE-2026-43472
NONE

CVE-2026-43472

Published: May 8, 2026· Updated: May 12, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:7.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

unshare: fix unshare_fs() handling

There's an unpleasant corner case in unshare(2), when we have a

CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that

case copy_mnt_ns() gets passed current->fs instead of a private copy,

which causes interesting warts in proof of correctness]

> I guess if private means fs->users == 1, the condition could still be true.

Unfortunately, it's worse than just a convoluted proof of correctness.

Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS

(and current->fs->users == 1).

We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and

flips current->fs->{pwd,root} to corresponding locations in the new namespace.

Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).

We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's

destroyed and its mount tree is dissolved, but... current->fs->root and

current->fs->pwd are both left pointing to now detached mounts.

They are pinning those, so it's not a UAF, but it leaves the calling

process with unshare(2) failing with -ENOMEM _and_ leaving it with

pwd and root on detached isolated mounts. The last part is clearly a bug.

There is other fun related to that mess (races with pivot_root(), including

the one between pivot_root() and fork(), of all things), but this one

is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new

fs_struct even if it hadn't been shared in the first place". Sure, we could

go for something like "if both CLONE_NEWNS *and* one of the things that might

end up failing after copy_mnt_ns() call in create_new_namespaces() are set,

force allocation of new fs_struct", but let's keep it simple - the cost

of copy_fs_struct() is trivial.

Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets

a freshly allocated fs_struct, yet to be attached to anything. That

seriously simplifies the analysis...

FWIW, that bug had been there since the introduction of unshare(2) ;-/

NVD Source

Technical Analysis

CVE-2026-43472 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
LinuxGo
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-43472
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 8, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43472 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.