How is CVE-2026-46081 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path. Authentication (required): Any low-privilege local account is sufficient to trigger the asynchronous compression request that leads to the wrong-pointer dereference. Victim interaction (not-required): No victim interaction is needed; the attacker triggers the flaw entirely through their own process actions. Attack complexity (info): The exploit is reliable and condition-free once the attacker has a local account and the QAT (or similar async hardware) driver is active; no race conditions or memory-layout tuning are required.

What is the impact of CVE-2026-46081?

Reads arbitrary kernel memory, exposing credentials, cryptographic keys, and other sensitive in-memory data. Writes to arbitrary kernel memory locations, allowing the attacker to overwrite security-critical structures or inject code into kernel context. Crashes the affected kernel or specific subsystems via memory corruption, causing a full system denial of service. Provides a strong primitive for privilege escalation from a low-privilege process to full kernel control.

Back to search

HIGHCVE-2026-46081Published 2026-05-27Modified 2026-05-30CNA Linux

CVE-2026-46081: crypto: acomp - fix wrong pointer stored by acomp_save_req()

In the Linux kernel, the following vulnerability has been resolved: crypto: acomp - fix wrong pointer stored by acomp_save_req() acomp_save_req() stores &req->chain in req->base.data. When acomp_reqchain_done() is invoked on asynchronous completion, it receives &req->chain as the data argument but casts it directly to struct acomp_req. Since data points to the chain member, all subsequent field accesses are at a wrong offset, resulting in memory corruption. The issue occurs when an asynchronous hardware implementation, such as the QAT driver, completes a request that uses the DMA virtual address interface (e.g. acomp_request_set_src_dma()). This combination causes crypto_acomp_compress() to enter the acomp_do_req_chain() path, which sets acomp_reqchain_done() as the completion callback via acomp_save_req(). With KASAN enabled, this manifests as a general protection fault in acomp_reqchain_done(): general protection fault, probably for non-canonical address 0xe000040000000000 KASAN: probably user-memory-access in range [0x0000400000000000-0x0000400000000007] RIP: 0010:acomp_reqchain_done+0x15b/0x4e0 Call Trace: <IRQ> qat_comp_alg_callback+0x5d/0xa0 [intel_qat] adf_ring_response_handler+0x376/0x8b0 [intel_qat] adf_response_handler+0x60/0x170 [intel_qat] tasklet_action_common+0x223/0x820 handle_softirqs+0x1ab/0x640 </IRQ> Fix this by storing the request itself in req->base.data instead of &req->chain, so that acomp_reqchain_done() receives the correct pointer. Simplify acomp_restore_req() accordingly to access req->chain directly.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A wrong-pointer bug in the Linux kernel's asynchronous compression subsystem (crypto/acomp) allows a local attacker with a low-privilege account to trigger memory corruption. The flaw is reachable locally and requires no network access; it manifests when an asynchronous hardware compression driver, such as the Intel QAT driver, completes a request that was set up using the DMA virtual address interface, causing the completion callback to dereference a structurally offset pointer. Successful exploitation gives the attacker full read, write, and denial-of-service capability over kernel memory. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected kernel.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that package an affected kernel version. Any image whose kernel falls below the fixed commits or stable releases (6.18.27, 7.0.4) is flagged immediately.

Available

Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH and weights it against each environment's compliance policy to determine breach-of-threshold routing. Findings are routed to the appropriate team inbox inside each customer organization based on configured ownership rules.

Available

Patch

Patched-image rebuilds pinned to the fix versions (6.18.27, 7.0.4, or the upstream stable commits) are available on HarborGuard for any environment running an affected kernel. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs the configured regression suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path.
AuthenticationRequired
Any low-privilege local account is sufficient to trigger the asynchronous compression request that leads to the wrong-pointer dereference.
Victim interactionNot required
No victim interaction is needed; the attacker triggers the flaw entirely through their own process actions.
Attack complexityDetail
The exploit is reliable and condition-free once the attacker has a local account and the QAT (or similar async hardware) driver is active; no race conditions or memory-layout tuning are required.

Blast Radius

Reads arbitrary kernel memory, exposing credentials, cryptographic keys, and other sensitive in-memory data.
Writes to arbitrary kernel memory locations, allowing the attacker to overwrite security-critical structures or inject code into kernel context.
Crashes the affected kernel or specific subsystems via memory corruption, causing a full system denial of service.
Provides a strong primitive for privilege escalation from a low-privilege process to full kernel control.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image whose kernel predates the fix commits or the 6.18.27 and 7.0.4 stable releases. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, runs the configured regression suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit automatic remediation, the finding is routed to the designated team inbox with CVSS 7.8 HIGH severity context so engineers can prioritize manual upgrade. Because the vulnerable path requires an active asynchronous hardware compression driver (such as Intel QAT), customers can reduce exposure in the interim by restricting which workloads are permitted to access hardware compression devices via container security policies or device-plugin admission controls.

See how HarborGuard automates this

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

01a2785e5985627f2265ba7775949601a29ba0d1e343a5bf68a8ff9affcf2b70677ea4cf40c195ee46.18.277.0.47.1-rc1d7e20b9bd6c990773cf0c09e2642250b8a70263d

Affected packages

Linux / Linux
< 343a5bf68a8ff9affcf2b70677ea4cf40c195ee4 (from 64929fe8c0a43508eee952cf57903a61c52601e7) · < 1a2785e5985627f2265ba7775949601a29ba0d1e (from 64929fe8c0a43508eee952cf57903a61c52601e7) · < d7e20b9bd6c990773cf0c09e2642250b8a70263d (from 64929fe8c0a43508eee952cf57903a61c52601e7)
Linux / Linux
6.16
Fixed in 0, 6.18.27, 7.0.4, 7.1-rc1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available