HarborGuard / CVE
Back to search
HIGHCVE-2026-46117Published Modified CNA Linux

CVE-2026-46117: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()

In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel. Just reject it outright and fail the QP creation.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a kernel memory corruption vulnerability in the Linux kernel's RDMA/mana driver. A local attacker with a low-privilege account can trigger it by passing crafted uAPI input that causes Work Queues to share the same Completion Queue, which hits an unguarded WARN_ON() and then proceeds to corrupt kernel memory. Successful exploitation gives the attacker full read, write, and execution control over the affected system. Patched-image rebuilds at versions 6.12.91, 6.18.30, 7.0.7, and commit 159f2efabc89d3f931d38f2d35876535d4abf0a3 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-46117 is ingested from upstream kernel advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected kernel version.

Available
Triage

Triage is available with the CVSS v3.1 score of 7.8 (HIGH) applied automatically; per-environment compliance policy weighting can escalate or suppress the finding, and routing to the appropriate team inbox within each customer org is supported out of the box.

Available
Patch

A patched-image rebuild against the fixed kernel versions (6.12.91, 6.18.30, 7.0.7, or commit 159f2efabc89d3f931d38f2d35876535d4abf0a3) becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test pass, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to invoke the RDMA uAPI and supply the malicious QP configuration.

  • Victim interactionNot required

    No user interaction is needed; the attacker triggers the vulnerability entirely through their own process calls.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental setup beyond having a local account.

Blast Radius

  • The attacker reads arbitrary kernel memory, including credentials, session tokens, and secrets held by other processes.
  • The attacker writes to arbitrary kernel memory, allowing modification of security policies, process privileges, or persisted data structures.
  • The attacker can achieve code execution in kernel context, gaining full control of the host operating system.
  • All other workloads sharing the same kernel instance are exposed to tampering or disclosure once kernel memory integrity is lost.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-46117 runs against every image in connected registries and CI pipelines, covering both upstream base images and internally built images that include an affected Linux kernel. Where compliance policy permits, a rebuilt image at the patched kernel version is made available automatically; for customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression test run, and opens a PR against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues. For environments where an immediate kernel upgrade is not feasible, compensating controls worth considering include restricting access to RDMA device nodes via Linux DAC or LSM policy, isolating workloads that require RDMA into dedicated nodes with tighter user account controls, and applying network-policy rules to limit lateral movement if the host is compromised before a patch can be applied.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

0159f2efabc89d3f931d38f2d35876535d4abf0a36.12.916.18.307.0.77.1-rc39cc0c6b1ba8cd5c55aef043e1384de0a8b4efa719ef65af26b2a6738bf15812042e84b3112402d3adb991ba50087ad99fa12a2c483aa3be19671ea73
Affected packages
  • Linux / Linux
    < 9cc0c6b1ba8cd5c55aef043e1384de0a8b4efa71 (from c15d7802a42402a87880a17eee89ff023e49ecc0) · < 9ef65af26b2a6738bf15812042e84b3112402d3a (from c15d7802a42402a87880a17eee89ff023e49ecc0) · < db991ba50087ad99fa12a2c483aa3be19671ea73 (from c15d7802a42402a87880a17eee89ff023e49ecc0) · < 159f2efabc89d3f931d38f2d35876535d4abf0a3 (from c15d7802a42402a87880a17eee89ff023e49ecc0)
  • Linux / Linux
    6.8
    Fixed in 0, 6.12.91, 6.18.30, 7.0.7, 7.1-rc3
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References