Logic Flaw in LXC Container Runtime Affects OpenVSwitch Network Interfaces
CVE-2026-39402

4.3MEDIUM

Key Information:

Vendor: Lxc
Status: Lxc
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-39402?

The LXC container runtime exhibits a logic flaw within the setuid helper, lxc-user-nic, allowing unprivileged users to delete network interfaces attached to OpenVSwitch (OVS) ports owned by other users. This occurs due to inadequate authorization checks in the find_line() function responsible for validating deletion requests. When an unprivileged attacker sends a deletion request, the system may erroneously grant authorization based solely on interface name matches, neglecting critical checks for ownership and type. This vulnerability primarily impacts multi-tenant environments, wherein one tenant can disrupt service for other users by disconnecting their networking capabilities on shared infrastructure. The issue is resolved in version 7.0.0.

Affected Version(s)

lxc < 7.0.0

References

https://github.com/lxc/lxc/security/advisories/GHSA-3m9j-...

x_refsource_CONFIRM

CVSS V4

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39402 Data

JSON

Lxc

What is CVE-2026-39402?

Affected Version(s)

References

CVSS V4

Timeline