How is CVE-2026-46120 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no inbound network access to the target service is required. Authentication (required): Any low-privilege account is sufficient; the attack path is reachable via an unprivileged user namespace (for example, unshare --user --map-root-user --net). Victim interaction (not-required): No user interaction is needed; the attacker triggers the bug entirely through their own process. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-46120?

An attacker reads arbitrary kernel memory, including credentials, session tokens, and data belonging to other processes. An attacker writes to arbitrary kernel memory, enabling privilege escalation to root or modification of security-sensitive kernel structures. The slab-use-after-free and subsequent kernel BUG in unregister_netdevice_many_notify() can crash the host, taking down all workloads on the node. The stale netns hash entry persists until netns teardown, meaning the window for exploitation extends beyond the initial tunnel reconfiguration.

Back to search

HIGHCVE-2026-46120Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46120: ip6_gre: Use cached t->net in ip6erspan_changelink().

In the Linux kernel, the following vulnerability has been resolved: ip6_gre: Use cached t->net in ip6erspan_changelink(). After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration. This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify(). Reachable from an unprivileged user namespace (unshare --user --map-root-user --net). ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free memory corruption bug affects the Linux kernel's ip6erspan tunnel driver (ip6_gre). The flaw is exploitable locally by a low-privilege user who can create a user or network namespace, requiring no network access and no elevated credentials. Successful exploitation gives an attacker full read, write, and crash capability over kernel memory, enabling privilege escalation or denial of service. A patched-image rebuild at the fix versions is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46120 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI pipelines, and custom-built base images that include an affected Linux kernel version.

Available

Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH and can weight that score against each environment's compliance policy to determine ticket priority and routing. Alerts can be directed to the appropriate team inbox within each customer organization based on configured severity thresholds.

Available

Patch

A patched-image rebuild targeting the fix versions (including kernel tag 4.17 and commit 311fdd26eb4443d43b909cc67a10f3a5fd1b21b2) is available on HarborGuard for affected environments. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no inbound network access to the target service is required.
AuthenticationRequired
Any low-privilege account is sufficient; the attack path is reachable via an unprivileged user namespace (for example, unshare --user --map-root-user --net).
Victim interactionNot required
No user interaction is needed; the attacker triggers the bug entirely through their own process.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

An attacker reads arbitrary kernel memory, including credentials, session tokens, and data belonging to other processes.
An attacker writes to arbitrary kernel memory, enabling privilege escalation to root or modification of security-sensitive kernel structures.
The slab-use-after-free and subsequent kernel BUG in unregister_netdevice_many_notify() can crash the host, taking down all workloads on the node.
The stale netns hash entry persists until netns teardown, meaning the window for exploitation extends beyond the initial tunnel reconfiguration.

How HarborGuard Handles This

Available on HarborGuard: images containing an affected Linux kernel version are flagged automatically when scans run against customer registries or CI pipelines. For customers who opt into auto-remediation, HarborGuard can rebuild the base image at a fixed kernel version, execute the configured regression suite, and open a pull request against affected workloads; for HIGH severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual approval, the rebuilt image and test results are staged and surfaced in the customer dashboard for one-click promotion. Because this bug is reachable from unprivileged user namespaces, customers who cannot immediately apply the kernel patch should consider restricting unprivileged user namespace creation via sysctl (kernel.unprivileged_userns_clone=0) as a compensating control, and should apply network-policy isolation to limit lateral movement from any compromised workload.

See how HarborGuard automates this

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

01d324c2f43f70c965f25c58cc3611c779adbe47e311fdd26eb4443d43b909cc67a10f3a5fd1b21b24.176.6.1406.12.886.18.307.0.77.1-rc3cf7fc624329e76c6394653d12353e1d033adea91e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82eca62bb0569de4d43a4dac06a2092a9d4ca1d702

Affected packages

Linux / Linux
< eca62bb0569de4d43a4dac06a2092a9d4ca1d702 (from 2d665034f239412927b1e71329f20f001c92da09) · < 311fdd26eb4443d43b909cc67a10f3a5fd1b21b2 (from 2d665034f239412927b1e71329f20f001c92da09) · < e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82 (from 2d665034f239412927b1e71329f20f001c92da09) · < cf7fc624329e76c6394653d12353e1d033adea91 (from 2d665034f239412927b1e71329f20f001c92da09) · < 1d324c2f43f70c965f25c58cc3611c779adbe47e (from 2d665034f239412927b1e71329f20f001c92da09) · c6d72628352c949629af619b77b042e0fb5245e7
Linux / Linux
4.17
Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available