CME-604

Unprivileged User Namespaces Disabled

Harden OS/Kernel High Confidence

Description

Prevents unprivileged users from creating user namespaces. User namespaces expose kernel attack surface (mount, network, PID operations) to unprivileged users and have been a frequent LPE vector.

CVSS Vector Impacts

Metric Transition Rationale
Privileges Required (PR) L H Unprivileged user cannot create namespaces to reach privileged kernel paths
Attack Complexity (AC) L H Many kernel LPE exploits require user namespaces as a prerequisite

CWE Relationships

CWE-269 CWE-119

Verification

Check user.max_user_namespaces sysctl

$ cat /proc/sys/user/max_user_namespaces
# Expected: 0
Platform: linux
$ sysctl kernel.unprivileged_userns_clone 2>/dev/null
# Expected: kernel.unprivileged_userns_clone = 0
Platform: debian
← CME-603: Unprivileged BPF Disabled CME-701: Sandboxing / gVisor Runtime →