HarborGuard / CVE
Back to search
HIGHCVE-2026-46093Published Modified CNA Linux

CVE-2026-46093: mm/vmalloc: take vmap_purge_lock in shrinker

In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: take vmap_purge_lock in shrinker decay_va_pool_node() can be invoked concurrently from two paths: __purge_vmap_area_lazy() when pools are being purged, and the shrinker via vmap_node_shrink_scan(). However, decay_va_pool_node() is not safe to run concurrently, and the shrinker path currently lacks serialization, leading to races and possible leaks. Protect decay_va_pool_node() by taking vmap_purge_lock in the shrinker path to ensure serialization with purge users.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A race condition in the Linux kernel's virtual memory allocator (mm/vmalloc) allows a local attacker with a low-privilege account to exploit concurrent execution paths in the vmap shrinker, leading to memory corruption or leaks. The vulnerability is reachable locally and requires no special privileges beyond a standard user account. Successful exploitation gives the attacker full read, write, and availability impact over the affected system, enabling data disclosure, data tampering, and service disruption. Patched-image rebuilds at fix versions 6.18.27 and 7.0.4 are available on HarborGuard for environments running affected kernel versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-46093 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle the Linux kernel or kernel-adjacent packages.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.8 HIGH and weighting that score against each environment's compliance policy to determine urgency; triage results are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at fix versions 6.18.27 or 7.0.4 becomes available on HarborGuard for any image found to include an affected kernel version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the race condition; no administrative credentials are needed.

  • Victim interactionNot required

    No user interaction is required; the attacker can trigger the vulnerable code path independently.

  • Attack complexityDetail

    The exploit is reliable and condition-free once local access is obtained; no race-window timing beyond what the kernel shrinker naturally produces is required of the attacker.

Blast Radius

  • A successful attacker can read arbitrary kernel memory, exposing credentials, session tokens, or other sensitive data held in kernel structures.
  • The attacker can corrupt or modify kernel memory, altering persistent data structures or injecting malicious content into kernel-managed buffers.
  • The race condition can trigger a kernel panic or unrecoverable memory leak, crashing the affected host and taking down all workloads running on it.
  • All three impacts (read, write, crash) are available from a single low-privilege local account without any additional preconditions.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication, matching any image that bundles a Linux kernel earlier than 6.18.27 or 7.0.4 against the affected version ranges documented in this advisory. For environments where compliance policy permits auto-remediation, HarborGuard can rebuild the image at a fixed kernel version, execute regression tests, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage kernel upgrades manually should prioritize updating to Linux 6.18.27 or 7.0.4, and may consider applying kernel lockdown or namespace restrictions as a compensating control while a rebuild is staged.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

012f2341b4c235d5593a433abac201c1c6725787f6.18.27687ccdf582169cd680aeaf24cc953807c4cd43457.0.47.1-rc1ec05f51f1e65bce95528543eb73fda56fd201d94
Affected packages
  • Linux / Linux
    < 687ccdf582169cd680aeaf24cc953807c4cd4345 (from 7679ba6b36dbb300b757b672d6a32a606499e14b) · < 12f2341b4c235d5593a433abac201c1c6725787f (from 7679ba6b36dbb300b757b672d6a32a606499e14b) · < ec05f51f1e65bce95528543eb73fda56fd201d94 (from 7679ba6b36dbb300b757b672d6a32a606499e14b)
  • Linux / Linux
    6.9
    Fixed in 0, 6.18.27, 7.0.4, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References