HarborGuard / CVE
Back to search
HIGHCVE-2026-46105Published Modified CNA Linux

CVE-2026-46105: scsi: mpt3sas: Limit NVMe request size to 2 MiB

In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Limit NVMe request size to 2 MiB The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB. Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A missing bounds check in the Linux kernel's mpt3sas SCSI driver allows an attacker with a local, low-privilege account to issue oversized NVMe I/O requests, triggering a kernel oops. The driver allocates a fixed 4 KiB buffer for the PRP (Physical Region Page) list, supporting at most 512 entries and a 2 MiB transfer limit, but it did not enforce that ceiling against the MDTS value reported by the underlying drive firmware. Successful exploitation gives the attacker full read, write, and denial-of-service capability over the host kernel. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that carry an affected kernel version. Any image whose kernel package falls below the fixed commits (04631f55afc5, 45dcc815fc55) or stable tags 6.18.30 or 7.0.7 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH and weights it against each environment's compliance policy to determine routing priority. Findings are dispatched to the appropriate team inbox within each customer organization based on policy configuration.

Available
Patch

A patched-image rebuild at the fix versions (6.18.30, 7.0.7, or the upstream commits) becomes available through HarborGuard once the base image is updated. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the vulnerable component is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the oversized I/O request; no administrative rights are needed.

  • Victim interactionNot required

    No user interaction is needed; the attacker can trigger the kernel oops entirely through their own process.

  • Attack complexityDetail

    The exploit is reliable and condition-free once local access is established; no race conditions or special memory layout are required.

Blast Radius

  • Crashes the host kernel (oops), disrupting all workloads running on the affected node.
  • Gains kernel-level write access, allowing modification of in-memory kernel structures and persisted data.
  • Reads arbitrary kernel memory, exposing credentials, keys, and data belonging to co-resident processes.
  • Can be chained with a local privilege escalation to achieve full root control of the host.

How HarborGuard Handles This

Available on HarborGuard: images carrying a Linux kernel version affected by CVE-2026-46105 are matched at ingest and surfaced immediately. Where compliance policy permits auto-remediation, HarborGuard triggers a rebuild against a base image at 6.18.30, 7.0.7, or the patched upstream commits, runs a regression test suite, and opens a pull request against affected workloads. For environments where auto-remediation is not enabled, the finding is routed to the designated team inbox with CVSS 7.8 HIGH severity context. Because a fix is already published, the recommended action is to rebase affected images on a patched kernel promptly; for environments that cannot update immediately, restricting container privileges (no-new-privileges, dropping CAP_SYS_RAWIO) reduces exposure by limiting the process context from which the oversized I/O call can be issued.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

004631f55afc543d5431a2bdee7f6cc0f2c0debe745dcc815fc5539e88154315f36cbcb11d3a52fc26.18.307.0.77.1-rc3e5f9824817c6358b9f9738bdb92dec9e4e794d3c
Affected packages
  • Linux / Linux
    < 45dcc815fc5539e88154315f36cbcb11d3a52fc2 (from 9b8b84879d4adc506b0d3944e20b28d9f3f6994b) · < e5f9824817c6358b9f9738bdb92dec9e4e794d3c (from 9b8b84879d4adc506b0d3944e20b28d9f3f6994b) · < 04631f55afc543d5431a2bdee7f6cc0f2c0debe7 (from 9b8b84879d4adc506b0d3944e20b28d9f3f6994b)
  • Linux / Linux
    6.17
    Fixed in 0, 6.18.30, 7.0.7, 7.1-rc3
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References