HarborGuard / CVE
Back to search
HIGHCVE-2026-46070Published Modified CNA Linux

CVE-2026-46070: md/raid5: validate payload size before accessing journal metadata

In the Linux kernel, the following vulnerability has been resolved: md/raid5: validate payload size before accessing journal metadata r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a journal metadata block using on-disk payload size fields without validating them against the remaining space in the metadata block. A corrupted journal contains payload sizes extending beyond the PAGE_SIZE boundary can cause out-of-bounds reads when accessing payload fields or computing offsets. Add bounds validation for each payload type to ensure the full payload fits within meta_size before processing.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An out-of-bounds read vulnerability exists in the Linux kernel's md/raid5 subsystem, specifically in the journal metadata recovery routines. The flaw is reachable locally by a low-privileged user and does not require any network access or victim interaction. Successful exploitation reads kernel memory beyond valid boundaries and can crash the affected system. A patched-image rebuild at the fix versions (6.6.140, 6.12.86, and the corresponding commit SHAs) is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-46070 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that carry an affected kernel version.

Available
Triage

Triage is available with the CVSS v3.1 score of 7.1 (HIGH) applied to each matched image, weighted against per-environment compliance policies, and routed to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at the fix versions (6.6.140, 6.12.86, and the associated upstream commits) is available on HarborGuard for any environment running an affected kernel version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the vulnerable service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the vulnerable journal recovery code path.

  • Victim interactionNot required

    No victim interaction is needed; the attacker can trigger the condition without involving another user.

  • Attack complexityDetail

    The exploit is reliable and condition-free once local access is established; no race conditions or special memory layout is required.

Blast Radius

  • Reads kernel memory beyond the page boundary, potentially exposing sensitive in-kernel data such as keys or other process memory contents.
  • Causes a kernel crash (system halt or reboot) by triggering an out-of-bounds access in the RAID5 journal recovery path, disrupting all workloads on the host.
  • Any container or process sharing the affected host kernel is subject to service disruption from the resulting crash.

How HarborGuard Handles This

Available on HarborGuard: images built on an affected Linux kernel version (pre-6.6.140 or pre-6.12.86 stable branches, or the unfixed commit ranges listed in the advisory) are flagged at ingest time. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the patched kernel version, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is routed to the responsible team with the CVSS 7.1 HIGH score and fix-version details attached, so engineers can action the rebuild manually.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

033698bd1b2db9764a29df7751533d33967ff5c98406aa86394ead347c47428fb51b6359bdaa2257d6.6.1406.12.866.18.277.0.47.1-rc173ce72edd113374801045924d4417199963f73a3b0cc3ae97e893bf54bbce447f4e9fd2e0b88bff9c3a1cf78bd1bbb51b2cc5189b4743056553c1e0e
Affected packages
  • Linux / Linux
    < 33698bd1b2db9764a29df7751533d33967ff5c98 (from b4c625c67362b3940f619c1a836b4e8329106658) · < c3a1cf78bd1bbb51b2cc5189b4743056553c1e0e (from b4c625c67362b3940f619c1a836b4e8329106658) · < 73ce72edd113374801045924d4417199963f73a3 (from b4c625c67362b3940f619c1a836b4e8329106658) · < 406aa86394ead347c47428fb51b6359bdaa2257d (from b4c625c67362b3940f619c1a836b4e8329106658) · < b0cc3ae97e893bf54bbce447f4e9fd2e0b88bff9 (from b4c625c67362b3940f619c1a836b4e8329106658)
  • Linux / Linux
    4.10
    Fixed in 0, 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
References