How is CVE-2026-46100 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path. Authentication (required): Any low-privilege local account is sufficient; the attacker does not need administrator or root access to trigger the mmap_prepare() reference-count leak. Victim interaction (not-required): No user interaction is required; the attacker can trigger the vulnerability entirely through their own process. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

What is the impact of CVE-2026-46100?

A successful attacker reads arbitrary kernel memory, including credentials, session tokens, and data belonging to other processes on the host. The attacker writes to arbitrary kernel memory, enabling privilege escalation to root or modification of security-relevant kernel structures. The attacker can crash the affected system by corrupting kernel state through the leaked reference count, causing a denial of service for all workloads on the node. Container workloads sharing the host kernel are exposed to the same impact, because the vulnerability is in the host kernel's AFS subsystem.

Back to search

HIGHCVE-2026-46100Published 2026-05-27Modified 2026-05-30CNA Linux

CVE-2026-46100: fs: afs: revert mmap_prepare() change

In the Linux kernel, the following vulnerability has been resolved: fs: afs: revert mmap_prepare() change Partially reverts commit 9d5403b1036c ("fs: convert most other generic_file_*mmap() users to .mmap_prepare()"). This is because the .mmap invocation establishes a refcount, but .mmap_prepare is called at a point where a merge or an allocation failure might happen after the call, which would leak the refcount increment. Functionality is being added to permit the use of .mmap_prepare in this case, but in the interim, we need to fix this.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A reference-count leak vulnerability exists in the Linux kernel's AFS (Andrew File System) memory-mapping path. An attacker with a local, low-privilege account can trigger the bug by causing a merge or allocation failure after mmap_prepare() increments a reference count without a corresponding release, corrupting kernel memory state. Successful exploitation gives the attacker full read, write, and crash-level control over the affected system. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected kernel version. Coverage extends to images in both registry scans and active CI/CD pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 7.8 (HIGH) and weights it against each environment's compliance policy to determine escalation priority. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at the fix versions (6.18.27, 7.0.4, 7.1-rc1, or commit 48c7a0eaeea41da17d1d84d2d7a4c40be122b246) is available on HarborGuard for environments running an affected kernel. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path.
AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrator or root access to trigger the mmap_prepare() reference-count leak.
Victim interactionNot required
No user interaction is required; the attacker can trigger the vulnerability entirely through their own process.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

A successful attacker reads arbitrary kernel memory, including credentials, session tokens, and data belonging to other processes on the host.
The attacker writes to arbitrary kernel memory, enabling privilege escalation to root or modification of security-relevant kernel structures.
The attacker can crash the affected system by corrupting kernel state through the leaked reference count, causing a denial of service for all workloads on the node.
Container workloads sharing the host kernel are exposed to the same impact, because the vulnerability is in the host kernel's AFS subsystem.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46100 is active across all connected environments and will match any image bundling an affected Linux kernel version. For environments where a fix version (6.18.27, 7.0.4, 7.1-rc1, or the equivalent upstream commit) is available, a patched-image rebuild is ready to trigger. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments that cannot immediately rebuild, consider applying network-policy isolation to restrict lateral movement from any potentially compromised node, and audit which workloads mount AFS filesystems to narrow the exposure surface until the kernel is updated.

See how HarborGuard automates this

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

048c7a0eaeea41da17d1d84d2d7a4c40be122b2466.18.277.0.47.1-rc1f51f85c044809fbd39ac8ae07ac99bc43ce32bd5fbfc6578eaca12daa0c09df1e9ba7f2c657b49da

Affected packages

Linux / Linux
< f51f85c044809fbd39ac8ae07ac99bc43ce32bd5 (from 9d5403b1036cdcd4be0f9f5568612c0e60e73d79) · < 48c7a0eaeea41da17d1d84d2d7a4c40be122b246 (from 9d5403b1036cdcd4be0f9f5568612c0e60e73d79) · < fbfc6578eaca12daa0c09df1e9ba7f2c657b49da (from 9d5403b1036cdcd4be0f9f5568612c0e60e73d79)
Linux / Linux
6.17
Fixed in 0, 6.18.27, 7.0.4, 7.1-rc1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available