VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 30, 2026· Updated May 6, 2026

CVE-2026-31692

CVE-2026-31692

Description

In the Linux kernel, the following vulnerability has been resolved:

rtnetlink: add missing netlink_ns_capable() check for peer netns

rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer network namespace when creating paired devices (veth, vxcan, netkit). This allows an unprivileged user with a user namespace to create interfaces in arbitrary network namespaces, including init_net.

Add a netlink_ns_capable() check for CAP_NET_ADMIN in the peer namespace before allowing device creation to proceed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing CAP_NET_ADMIN check in rtnetlink allows unprivileged users to create paired devices in arbitrary network namespaces.

Vulnerability

The Linux kernel's rtnetlink implementation, specifically the rtnl_newlink() function, lacks a netlink_ns_capable() check for CAP_NET_ADMIN in the peer network namespace when creating paired devices such as veth, vxcan, or netkit, and netkit. This oversight allows an unprivileged user who has created a user namespace to bypass the intended capability requirement and create network interfaces in arbitrary network namespaces, including the initial network namespace (init_net).

Exploitation

An attacker with the ability to create a user namespace can exploit this missing check by issuing a netlink request to create a paired device (e.g., veth pair) and specifying a peer namespace that they do not control. The kernel will proceed without verifying that the caller has CAP_NET_ADMIN in the target peer namespace. No additional authentication is required beyond the ability to create a user namespace, which is often available to unprivileged in many configurations.

Impact

Successful exploitation allows an unprivileged attacker to create network interfaces in network namespaces where they lack administrative privileges. This can lead to unauthorized network access, traffic interception, or disruption of network services in the target namespace. The impact is particularly severe when the attacker targets the initial network namespace (init_net), potentially affecting the host's network configuration.

Mitigation

The fix adds the missing netlink_ns_capable() check for CAP_NET_ADMIN in the peer namespace before allowing device creation. The patch has been applied to the Linux kernel stable tree [1][2][3]. Users should update their kernels to include this commit to prevent the vulnerability.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • Linux/Kernel8 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.33,<6.18.24
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.