Tools for measuring Linux user namespace kernel attack surface.
These tools were used to produce the findings in User Namespaces Trade UID Isolation for Kernel Attack Surface.
These tools deliberately exercise bug-prone kernel code paths, including
nftables subsystems responsible for dozens of CVEs since 2020. They can
crash, hang, or destabilize unpatched kernels. nft-stress in particular
targets historical vulnerability patterns (GC races, batch transaction
commit/abort, verdict map double-free classes) with concurrent threads.
Always run in a disposable VM or container. Never run against a production kernel or a system you cannot afford to lose.
These tools are provided strictly for defensive security research, authorized testing, and academic purposes. They measure kernel attack surface — they are not exploits, and they are not intended to be used to attack, disrupt, or gain unauthorized access to any system.
By using these tools you accept full responsibility for how and where you run them. The authors and Edera, Inc. disclaim all liability for any damage, data loss, service disruption, or other consequences arising from use or misuse of this software. See LICENSE for the full terms, which include a "no warranty" provision.
Measures the kernel attack surface delta between a regular unprivileged process and the same process inside a user namespace. Runs 40+ probes across namespace creation, mount operations, network device creation, netfilter/nftables, raw sockets, and filesystem operations.
gcc -static -o userns-probe userns-probe.c -lpthread
./userns-probe # must start as root (drops to nobody for baseline)Goes beyond reachability testing and exercises the kernel code paths that user namespaces unlock. Creates real network devices, mounts real filesystems, opens real sockets, and interacts with real netfilter subsystems — all from an unprivileged user namespace.
gcc -static -o deep-probe deep-probe.c
./deep-probe # as root in a containerStress tests the nftables subsystem from a user+net namespace. Targets the code paths that have historically produced the most CVEs: table/chain lifecycle, anonymous set handling, set element GC races, batch transaction commit/abort, and verdict map operations.
Not an exploit. This is an attack surface exerciser. If the kernel has a bug in these paths, this tool may trigger it.
gcc -static -o nft-stress nft-stress.c -lpthread
./nft-stress # as root in a containerShell-based nftables stress test using the nft CLI. Requires nft to
be installed. Runs inside a user+net namespace via unshare.
unshare -Urn bash nft-stress.shRequires a Linux system with kernel headers (glibc or musl).
make # builds all tools as static binaries
make clean # removes binariesThese are Linux-only tools. They will not build on macOS.
All tools require Linux with user namespaces enabled
(/proc/sys/user/max_user_namespaces > 0). Run in a container or VM for
safety — the nft-stress tools deliberately exercise bug-prone kernel code
paths.
# Quick test in a container
docker run --rm -v $(pwd):/tools -w /tools gcc:latest make
docker run --rm -v $(pwd):/tools -w /tools ubuntu:22.04 ./userns-probeFrom an unprivileged container on EKS (kernel 6.18):
- 262% increase in reachable kernel operations with user namespaces
- 21 newly reachable kernel code paths (namespace creation, mounts, network devices, nftables, raw sockets)
- 20 network device types reachable from user+net namespace
- 40+ CVEs from 2020-2025 required user namespaces for exploitation
- 18 of 40 CVEs (43%) were in nftables alone
Apache-2.0