2492295 – (CVE-2026-53075) CVE-2026-53075 kernel: ppp: require CAP_NET_ADMIN in target netns for unattached ioctls

Bug 2492295 (CVE-2026-53075) - CVE-2026-53075 kernel: ppp: require CAP_NET_ADMIN in target netns for unattached ioctls

Summary: CVE-2026-53075 kernel: ppp: require CAP_NET_ADMIN in target netns for unattac...

Keywords:
Status:	NEW
Alias:	CVE-2026-53075
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-24 18:04 UTC by OSIDB Bzimport
Modified:	2026-06-25 17:40 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-24 18:04:07 UTC

In the Linux kernel, the following vulnerability has been resolved:

ppp: require CAP_NET_ADMIN in target netns for unattached ioctls

/dev/ppp open is currently authorized against file->f_cred->user_ns,
while unattached administrative ioctls operate on current->nsproxy->net_ns.

As a result, a local unprivileged user can create a new user namespace
with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace,
and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against
an inherited network namespace.

Require CAP_NET_ADMIN in the user namespace that owns the target network
namespace before handling unattached PPP administrative ioctls.

This preserves normal pppd operation in the network namespace it is
actually privileged in, while rejecting the userns-only inherited-netns
case.

Comment 1 Keith Grant 2026-06-25 17:39:07 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062405-CVE-2026-53075-9f2a@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.