CVE-2026-39402
CVE-2026-39402 is a medium-severity vulnerability in Linuxcontainers Lxc with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-863.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v4: 4.3
- EPSS exploit prediction: 0% (6th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-27497
- Weakness: CWE-863
- Affected product: Linuxcontainers Lxc
- Published:
- Last modified:
Description
lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a deletion request, the interface name comparison can set the authorization flag based on a name match alone, even when the ownership, type, and link fields in that database entry belong to a different user. The vulnerable check sits after the goto next label handling, meaning it is reachable on lines where earlier ownership checks failed or were skipped. Because nothing downstream of this authorization signal re-verifies that the matched database line actually belongs to the caller, an unprivileged attacker with a valid lxc-usernet policy entry can trigger deletion of another user's OVS port on the same bridge. This is limited to multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. The impact is denial of service - one tenant can repeatedly disconnect networking from containers run by another tenant on shared infrastructure. This is patched in version 7.0.0.
Frequently asked questions
- What is CVE-2026-39402?
- lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a deletion request, the interface name comparison can set the authorization flag based on a name match alone, even when the ownership, type, and link fields in that database entry belong to a different user. The vulnerable check sits after the goto next label handling, meaning it is reachable on lines where earlier ownership checks failed or were skipped. Because nothing downstream of this authorization signal re-verifies that the matched database line actually belongs to the caller, an unprivileged attacker with a valid lxc-usernet policy entry can trigger deletion of another user's OVS port on the same bridge. This is limited to multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. The impact is denial of service - one tenant can repeatedly disconnect networking from containers run by another tenant on shared infrastructure. This is patched in version 7.0.0.
- How severe is CVE-2026-39402?
- CVE-2026-39402 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-39402 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (6th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-39402?
- CVE-2026-39402 affects Linuxcontainers Lxc. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-39402?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-39402 have an EU (EUVD) identifier?
- Yes. CVE-2026-39402 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-27497.
- When was CVE-2026-39402 published?
- CVE-2026-39402 was published on 2026-05-05 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:linuxcontainers:lxc:*:*:*:*:*:*:*:*
More vulnerabilities in Linuxcontainers Lxc
- CVE-2016-8649 — Critical (CVSS 9.1): lxc-attach in LXC before 1.0.9 and 2.x before 2.0.6 allows an attacker inside of an unprivileged container to use an…
- CVE-2019-5736 — High (CVSS 8.6): runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc…
- CVE-2016-10124 — High (CVSS 8.6): An issue was discovered in Linux Containers (LXC) before 2016-02-22. When executing a program via lxc-attach, the…
- CVE-2017-18641 — High (CVSS 8.1): In LXC 2.0, many template scripts download code over cleartext HTTP, and omit a digital-signature check, before running…
- CVE-2015-1335 — High (CVSS 7.2): lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local container administrators to escape AppArmor…
- CVE-2013-6441 — High (CVSS 7.2): The lxc-sshd template (templates/lxc-sshd.in) in LXC before 1.0.0.beta2 uses read-write permissions when mounting…
All CVEs affecting Linuxcontainers Lxc →
Other CWE-863 (Incorrect Authorization) vulnerabilities
- CVE-2026-48286 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization…
- CVE-2026-48303 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization…
- CVE-2026-44330 — Critical (CVSS 10.0): free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the…
- CVE-2026-46595 — Critical (CVSS 10.0): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of…
- CVE-2026-33105 — Critical (CVSS 10.0): Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over…
- CVE-2026-32213 — Critical (CVSS 10.0): Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
Browse all CWE-863 (Incorrect Authorization) vulnerabilities →