CVE-2026-43472

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> unshare: fix unshare_fs() handling<br /> <br /> There&amp;#39;s an unpleasant corner case in unshare(2), when we have a<br /> CLONE_NEWNS in flags and current-&gt;fs hadn&amp;#39;t been shared at all; in that<br /> case copy_mnt_ns() gets passed current-&gt;fs instead of a private copy,<br /> which causes interesting warts in proof of correctness]<br /> <br /> &gt; I guess if private means fs-&gt;users == 1, the condition could still be true.<br /> <br /> Unfortunately, it&amp;#39;s worse than just a convoluted proof of correctness.<br /> Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS<br /> (and current-&gt;fs-&gt;users == 1).<br /> <br /> We pass current-&gt;fs to copy_mnt_ns(), all right. Suppose it succeeds and<br /> flips current-&gt;fs-&gt;{pwd,root} to corresponding locations in the new namespace.<br /> Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).<br /> We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it&amp;#39;s<br /> destroyed and its mount tree is dissolved, but... current-&gt;fs-&gt;root and<br /> current-&gt;fs-&gt;pwd are both left pointing to now detached mounts.<br /> <br /> They are pinning those, so it&amp;#39;s not a UAF, but it leaves the calling<br /> process with unshare(2) failing with -ENOMEM _and_ leaving it with<br /> pwd and root on detached isolated mounts. The last part is clearly a bug.<br /> <br /> There is other fun related to that mess (races with pivot_root(), including<br /> the one between pivot_root() and fork(), of all things), but this one<br /> is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new<br /> fs_struct even if it hadn&amp;#39;t been shared in the first place". Sure, we could<br /> go for something like "if both CLONE_NEWNS *and* one of the things that might<br /> end up failing after copy_mnt_ns() call in create_new_namespaces() are set,<br /> force allocation of new fs_struct", but let&amp;#39;s keep it simple - the cost<br /> of copy_fs_struct() is trivial.<br /> <br /> Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets<br /> a freshly allocated fs_struct, yet to be attached to anything. That<br /> seriously simplifies the analysis...<br /> <br /> FWIW, that bug had been there since the introduction of unshare(2) ;-/