HarborGuard / CVE
Back to search
HIGHCVE-2026-46102Published Modified CNA Linux

CVE-2026-46102: net: strparser: fix skb_head leak in strp_abort_strp()

In the Linux kernel, the following vulnerability has been resolved: net: strparser: fix skb_head leak in strp_abort_strp() When the stream parser is aborted, for example after a message assembly timeout, it can still hold a reference to a partially assembled message in strp->skb_head. That skb is not released in strp_abort_strp(), which leaks the partially assembled message and can be triggered repeatedly to exhaust memory. Fix this by freeing strp->skb_head and resetting the parser state in the abort path. Leave strp_stop() unchanged so final cleanup still happens in strp_done() after the work and timer have been synchronized.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A memory leak vulnerability exists in the Linux kernel's stream parser (strparser) subsystem, reachable over the network without any authentication. When the stream parser aborts mid-assembly, for example after a message assembly timeout, it fails to free a partially assembled socket buffer (skb), leaving that memory permanently unreclaimable. An attacker can trigger this leak repeatedly over the network to exhaust kernel memory and crash the affected host. A patched-image rebuild at the fix versions is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-46102 is available across every HarborGuard environment; the CVE is ingested from upstream kernel advisory feeds within minutes of publication and matched against customer images, including custom-built images that carry vulnerable Linux kernel versions.

Available
Triage

Triage is available using the CVSS v3.1 base score of 7.5 (HIGH), with per-environment compliance policy weighting applied to prioritize alerts and route findings to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild pinned to the fix commits (including 19ca9475f18f, 5327dad2ffe9c1b, 56082f442023db, and kernel release 6.6.140) is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the service over the network; the vulnerability is exposed via network-facing sockets that use the kernel stream parser.

  • AuthenticationNot required

    No authentication is needed; the attacker can trigger the memory leak by sending crafted network traffic to an exposed socket without holding any account or credential.

  • Victim interactionNot required

    No victim interaction is required; the attacker drives the exploit entirely through their own network-side connection attempts.

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable and requires no special conditions, race wins, or knowledge of memory layout.

Blast Radius

  • Repeated triggering exhausts kernel memory, causing the host operating system to crash or become unresponsive (full denial of service).
  • All workloads running on the affected host, not just the targeted service, are disrupted when kernel memory is exhausted.
  • No confidential data is read and no data is modified; the impact is limited entirely to availability.

How HarborGuard Handles This

Available on HarborGuard: images running a Linux kernel version prior to the fix commits are flagged immediately upon scan. For customers who opt into auto-remediation, HarborGuard rebuilds the image at a patched kernel version, runs a regression test suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy or operational constraints prevent auto-remediation, HarborGuard surfaces the finding with a recommended network-policy isolation control: restricting inbound access to services that use kernel stream-parser-backed sockets (such as TLS or KCM sockets) reduces the attacker's ability to trigger repeated leak cycles while a patched kernel is staged for deployment.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

019ca9475f18f991735f98a22e735c43e95e6298d5327dad2ffe9c1b49881dd6d51ff3c689384756856082f442023db9be1a5a29d4ee361de4017c0b76.6.1406.12.866.18.277.0.47.1-rc1e9ae00490d474757c0f9c65073de83e6bb1e5a00fe72340daaf1af588be88056faf98965f39e6032
Affected packages
  • Linux / Linux
    < e9ae00490d474757c0f9c65073de83e6bb1e5a00 (from 43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a) · < 5327dad2ffe9c1b49881dd6d51ff3c6893847568 (from 43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a) · < 19ca9475f18f991735f98a22e735c43e95e6298d (from 43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a) · < 56082f442023db9be1a5a29d4ee361de4017c0b7 (from 43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a) · < fe72340daaf1af588be88056faf98965f39e6032 (from 43a0c6751a322847cb6fa0ab8cbf77a1d08bfc0a)
  • Linux / Linux
    4.9
    Fixed in 0, 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References