How is CVE-2026-46145 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the service is required. Authentication (required): Any low-privilege local account is sufficient to trigger the vulnerable uAPI path; no administrative credentials are needed. Victim interaction (not-required): No user interaction is required; the attacker exercises the vulnerable code path directly. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions or specific memory-layout prerequisites required.

What is the impact of CVE-2026-46145?

Reads arbitrary kernel memory, exposing credentials, cryptographic keys, and sensitive process data belonging to any user or kernel subsystem. Writes arbitrary kernel memory, allowing an attacker to overwrite security-critical structures and escalate to root or bypass kernel integrity protections. Crashes the kernel or the affected RDMA/mana driver, causing an immediate system reboot or persistent denial of service for all workloads on the host. Corrupts kernel state in ways that may persist across driver reloads, potentially leaving the system in an exploitable or unstable condition.

Back to search

HIGHCVE-2026-46145Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46145: RDMA/mana: Validate rx_hash_key_len

In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Validate rx_hash_key_len Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A heap/stack memory-corruption vulnerability exists in the Linux kernel's RDMA/mana driver due to a missing bounds check on the user-supplied rx_hash_key_len field. The flaw is reached locally and requires a low-privilege account; no network access or victim interaction is needed. Successful exploitation gives an attacker full read, write, and crash capabilities over kernel memory, enabling privilege escalation, data disclosure, or denial of service. Patched-image rebuilds at versions 6.6.141 and 6.12.88 (and the corresponding upstream commits) are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-46145 is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that ship their own kernel or kernel modules.

Available

Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH (v3.1) and applies per-environment compliance policy weighting to determine urgency and routing, surfacing findings to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at kernel versions 6.6.141, 6.12.88, and the associated upstream commits is available on HarborGuard for environments running an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
AuthenticationRequired
Any low-privilege local account is sufficient to trigger the vulnerable uAPI path; no administrative credentials are needed.
Victim interactionNot required
No user interaction is required; the attacker exercises the vulnerable code path directly.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or specific memory-layout prerequisites required.

Blast Radius

Reads arbitrary kernel memory, exposing credentials, cryptographic keys, and sensitive process data belonging to any user or kernel subsystem.
Writes arbitrary kernel memory, allowing an attacker to overwrite security-critical structures and escalate to root or bypass kernel integrity protections.
Crashes the kernel or the affected RDMA/mana driver, causing an immediate system reboot or persistent denial of service for all workloads on the host.
Corrupts kernel state in ways that may persist across driver reloads, potentially leaving the system in an exploitable or unstable condition.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against customer images at ingest time, and patched-image rebuilds at kernel versions 6.6.141 and 6.12.88 (plus the corresponding upstream commits 012796f9541fcd0c1fa8ae4da7eb4d83931ef838 and 11c1431d641e0e4e0529e96957995820600c7287) are available for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, executes a regression test run against the rebuilt image, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding is routed to the configured team inbox with CVSS scoring and compliance-policy context so engineers can act manually. Until a patched image is deployed, compensating controls include restricting access to RDMA/mana device nodes via Linux DAC or LSM policy and limiting which container workloads can open uAPI paths to the mana driver.

See how HarborGuard automates this

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

0012796f9541fcd0c1fa8ae4da7eb4d83931ef83811c1431d641e0e4e0529e96957995820600c72876.6.1416.12.886.18.306dd2d4ad9c8429523b1c220c5132bd551c0064257.0.77.1-rc37d7c9f0fcd19c4d2f0164347c58d49cafa961b727d94f155f354b961c598f71bafa804dceded513f

Affected packages

Linux / Linux
< 7d7c9f0fcd19c4d2f0164347c58d49cafa961b72 (from 0266a177631d4c6b963b5b12dd986a8c5abdbf06) · < 11c1431d641e0e4e0529e96957995820600c7287 (from 0266a177631d4c6b963b5b12dd986a8c5abdbf06) · < 012796f9541fcd0c1fa8ae4da7eb4d83931ef838 (from 0266a177631d4c6b963b5b12dd986a8c5abdbf06) · < 7d94f155f354b961c598f71bafa804dceded513f (from 0266a177631d4c6b963b5b12dd986a8c5abdbf06) · < 6dd2d4ad9c8429523b1c220c5132bd551c006425 (from 0266a177631d4c6b963b5b12dd986a8c5abdbf06)
Linux / Linux
6.2
Fixed in 0, 6.6.141, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available