RHSB-2026-009 IPv6 Fragmentation Container Escape - Linux Kernel (CVE-2026-53362) - "ipv6_frag_escape"
Updated
Was this information helpful?
Feedback cancelled
Executive Summary
An Important privilege escalation and container escape flaw was found in the Linux kernel's IPv6 networking subsystem. This issue, also referred to as ipv6_frag_escape, has been assigned CVE-2026-53362. A user with local access inside a container could escape to the host, bypassing SELinux enforcement, and gain system administrator (root) access. Red Hat has begun releasing fixes, and additional updates will follow as they become available. Log in with your Red Hat account, then click the "Follow" button below to be notified of changes to this bulletin.
This flaw is distinct from the "Dirty Frag" vulnerabilities addressed in RHSB-2026-003 (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300), which affect different subsystems.
Affected Products
The following Red Hat product versions are directly affected:
- Red Hat Enterprise Linux 10
Further, any Red Hat product that relies on the Red Hat Enterprise Linux kernel (including RHEL CoreOS) is also potentially impacted. This includes layered products and managed OpenShift offerings. Please ensure that the underlying Red Hat Enterprise Linux kernel is current in these product environments.
Technical Details
A missing bounds check in the kernel's IPv6 fragmentation path (__ip6_append_data()) causes an out-of-bounds write into skb_shared_info. This flaw can be chained into arbitrary kernel read/write, enabling credential overwrite, SELinux bypass, and container escape.
Updates for Affected Products
Red Hat customers running affected versions of these Red Hat products are strongly recommended to update as soon as erratas are available. Customers are urged to apply the available updates immediately and enable the mitigations as they feel appropriate.
Red Hat Enterprise Linux 10.2
Advisory: RHSA-2026:34911
Release Date: 2026-07-02
Mitigation
Exploitation of this vulnerability requires the ability to create network namespaces. Default RHEL 10 configurations provide this capability to unprivileged users through user namespaces. Restricting access to user namespaces reduces the attack surface. The workaround below reduces exposure but does not address the underlying kernel bug. Apply the updated kernel as soon as it is available.
On systems where unprivileged user namespaces are not required, apply the following sysctl to disable them at runtime:
Warning: This setting will break functionality that depends on unprivileged user namespaces, including rootless Podman containers and certain application sandboxes. If your environment depends on these capabilities, prioritize installing the updated kernel instead.
sudo sysctl -w user.max_user_namespaces=0
To persist this setting across reboots:
echo 'user.max_user_namespaces = 0' | sudo tee /etc/sysctl.d/99-disable-userns.conf
To reverse the workaround, delete the sysctl drop-in file and restore the original value (the system default is 65534):
sudo rm /etc/sysctl.d/99-disable-userns.conf
sudo sysctl -w user.max_user_namespaces=65534
Comments