CVE-2026-39402— lxc lxc-user-nic insufficient ownership validation allows cross-tenant OVS port deletion

lxc lxc-user-nic insufficient ownership validation allows cross-tenant OVS port deletion

lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a deletion request, the interface name comparison can set the authorization flag based on a name match alone, even when the ownership, type, and link fields in that database entry belong to a different user. The vulnerable check sits after the goto next label handling, meaning it is reachable on lines where earlier ownership checks failed or were skipped. Because nothing downstream of this authorization signal re-verifies that the matched database line actually belongs to the caller, an unprivileged attacker with a valid lxc-usernet policy entry can trigger deletion of another user's OVS port on the same bridge. This is limited to multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. The impact is denial of service - one tenant can repeatedly disconnect networking from containers run by another tenant on shared infrastructure. This is patched in version 7.0.0.

N/A

授权机制不正确

LXC 安全漏洞

LXC是LXC开源的一个经过大量测试的低级 Linux 容器运行时。 lxc存在安全漏洞，该漏洞源于setuid辅助程序lxc-user-nic中find_line函数的删除路径存在逻辑缺陷，允许非特权用户删除其他用户的OVS网络接口，可能导致拒绝服务攻击。

N/A

N/A