Ctrl + K
/ news / CVE
CVEPublished 2026-05-08Modified 2026-05-210 articles on news6 live referencesNVD data

CVE-2026-43472Linux · Linux_kernel

Vulnerability data via NVD (ingested)

CVSS v3.1
5.5
MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS percentile
Weaknesses (CWE)
CWE-908Use of Uninitialized Resource
Description

In the Linux kernel, the following vulnerability has been resolved: unshare: fix unshare_fs() handling There's an unpleasant corner case in unshare(2), when we have a CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that case copy_mnt_ns() gets passed current->fs instead of a private copy, which causes interesting warts in proof of correctness] > I guess if private means fs->users == 1, the condition could still be true. Unfortunately, it's worse than just a convoluted proof of correctness. Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS (and current->fs->users == 1). We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and flips current->fs->{pwd,root} to corresponding locations in the new namespace. Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM). We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's destroyed and its mount tree is dissolved, but... current->fs->root and current->fs->pwd are both left pointing to now detached mounts. They are pinning those, so it's not a UAF, but it leaves the calling process with unshare(2) failing with -ENOMEM _and_ leaving it with pwd and root on detached isolated mounts. The last part is clearly a bug. There is other fun related to that mess (races with pivot_root(), including the one between pivot_root() and fork(), of all things), but this one is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new fs_struct even if it hadn't been shared in the first place". Sure, we could go for something like "if both CLONE_NEWNS *and* one of the things that might end up failing after copy_mnt_ns() call in create_new_namespaces() are set, force allocation of new fs_struct", but let's keep it simple - the cost of copy_fs_struct() is trivial. Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets a freshly allocated fs_struct, yet to be attached to anything. That seriously simplifies the analysis... FWIW, that bug had been there since the introduction of unshare(2) ;-/

Timeline
Published 2026-05-08
Modified 2026-05-21

External references

NVDMITREExploit-DBGitHub PoCSploitusVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag76 hosts
vuln:CVE-2026-43472
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · OS
os:"Linux Kernel"
Hosts Shodan identified as running Linux Kernel.
More intel sources (5)
Shodan report
vuln:CVE-2026-43472
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-43472
Censys host search filtered to this CVE id.
grep.app
CVE-2026-43472
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-43472
GitHub code search for direct mentions.
Google dork
"CVE-2026-43472" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub

No public proof-of-concept repositories found for CVE-2026-43472 on GitHub.
We haven't classified any articles referencing CVE-2026-43472 yet. The external references above still apply.