How is CVE-2026-46115 exploited?

Network reachability (required): The vulnerable code path is reachable over the network, meaning an attacker must be able to send requests to the exposed service from a remote host. Authentication (not-required): No credentials or prior account access are needed to trigger the vulnerable code path (CVSS PR:N). Victim interaction (not-required): The exploit does not require any action from a logged-in user or administrator; it fires without social engineering (CVSS UI:N). Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory-layout requirements (CVSS AC:L).

What is the impact of CVE-2026-46115?

An attacker who exploits this flaw gains full read access to kernel memory regions, exposing stored credentials, session tokens, and sensitive in-flight data. The attacker can write to kernel memory structures, allowing modification of persisted data, privilege escalation, or injection of malicious code into kernel context. The incorrect pgmap resolution can corrupt I/O operations against zone device memory, crashing the affected service or rendering the block device unusable. Because the impact covers confidentiality, integrity, and availability at High severity across all three dimensions, a single exploitation event can simultaneously exfiltrate data, tamper with storage, and cause a system outage.

Back to search

CRITICALCVE-2026-46115Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46115: block: add pgmap check to biovec_phys_mergeable

In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A memory-management flaw in the Linux kernel block layer allows physically contiguous bio-vector segments from different device-pagemap (dev_pagemap) chunks to be incorrectly merged. The vulnerability is reachable over the network with no authentication required and no user interaction needed. Successful exploitation gives an attacker full read, write, and denial-of-service capability against the affected system. A patched-image rebuild at the fix versions is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that carry affected kernel packages.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.8 (Critical) and weighting that score against each environment's compliance policy; findings are routable to the appropriate team inbox within each customer organization based on configured severity thresholds and ownership rules.

Available

Patch

A patched-image rebuild targeting the fix commits (6.6.140, 6.12.88, and the associated upstream commits) is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable code path is reachable over the network, meaning an attacker must be able to send requests to the exposed service from a remote host.
AuthenticationNot required
No credentials or prior account access are needed to trigger the vulnerable code path (CVSS PR:N).
Victim interactionNot required
The exploit does not require any action from a logged-in user or administrator; it fires without social engineering (CVSS UI:N).
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory-layout requirements (CVSS AC:L).

Blast Radius

An attacker who exploits this flaw gains full read access to kernel memory regions, exposing stored credentials, session tokens, and sensitive in-flight data.
The attacker can write to kernel memory structures, allowing modification of persisted data, privilege escalation, or injection of malicious code into kernel context.
The incorrect pgmap resolution can corrupt I/O operations against zone device memory, crashing the affected service or rendering the block device unusable.
Because the impact covers confidentiality, integrity, and availability at High severity across all three dimensions, a single exploitation event can simultaneously exfiltrate data, tamper with storage, and cause a system outage.

How HarborGuard Handles This

Available on HarborGuard: detection capability is active the moment this CVE is ingested, matching affected kernel package versions in any scanned image. For environments running Linux kernel versions prior to 6.6.140 or 6.12.88, a patched-image rebuild at the fix versions is available. Where compliance policy permits, customers with auto-remediation enabled receive an automated rebuild, a regression-test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in those environments. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with fix-version guidance so engineering teams can trigger a manual rebuild. Teams that cannot immediately apply the patch should consider isolating affected nodes behind strict network policy to reduce the network-reachable attack surface until the kernel upgrade is applied.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

Fix available

013920e4b7b784b40cf4519ff1f0f3e513476a4993d2ecbd444b01d6500671d1a582b7393943cf5396.6.1406.12.886.18.307.0.77.1-rc1a7f3aa8c9df3905fe820ae36b67ba56b81587574f17d521075325b8afc42d1baa1c28a5e9aca111ff632dab4b841554cd6416058c61886d7db176581

Affected packages

Linux / Linux
< 3d2ecbd444b01d6500671d1a582b7393943cf539 (from 49580e690755d0e51ed7aa2c33225dd884fa738a) · < a7f3aa8c9df3905fe820ae36b67ba56b81587574 (from 49580e690755d0e51ed7aa2c33225dd884fa738a) · < f17d521075325b8afc42d1baa1c28a5e9aca111f (from 49580e690755d0e51ed7aa2c33225dd884fa738a) · < f632dab4b841554cd6416058c61886d7db176581 (from 49580e690755d0e51ed7aa2c33225dd884fa738a) · < 13920e4b7b784b40cf4519ff1f0f3e513476a499 (from 49580e690755d0e51ed7aa2c33225dd884fa738a)
Linux / Linux
6.2
Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available