CVE-2026-53075
ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
Vexday Risk Score
23Low
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS —EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
24 Jun 2026Published on NVD
25 Jun 2026Public PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
In the Linux kernel, the following vulnerability has been resolved:
ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
/dev/ppp open is currently authorized against file->f_cred->user_ns,
while unattached administrative ioctls operate on current->nsproxy->net_ns.
As a result, a local unprivileged user can create a new user namespace
with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace,
and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against
an inherited network namespace.
Require CAP_NET_ADMIN in the user namespace that owns the target network
namespace before handling unattached PPP administrative ioctls.
This preserves normal pppd operation in the network namespace it is
actually privileged in, while rejecting the userns-only inherited-netns
case.
Affected products
Linux · Linuxpublic PoCs found — 1
githubgithub.com/lottiedeyan/CVE-2026-53075poc★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://git.kernel.org/stable/c/1a8a51ce85075a56a743b6f142606dd2696a391chttps://git.kernel.org/stable/c/2bb6379416fd19f44c3423a00bfd8626259f6067https://git.kernel.org/stable/c/3b2c2157dc2afc5c17cd7238afefca92f1ef330ehttps://git.kernel.org/stable/c/5013be175c7ffd8b39efbc3c9c4db5b10b85fea8https://git.kernel.org/stable/c/5080e188c914110034bbc569d5cfa2f06204681dhttps://git.kernel.org/stable/c/67e901e28d177ac9a9bed76d69ce3471e704a89ehttps://git.kernel.org/stable/c/954745d0223e7caec917c0b2d1a889ff56fa6e54https://git.kernel.org/stable/c/c9edd90c57ae23692fff6b049fdfa4572a9fd532