How is CVE-2026-46149 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target service is required. Authentication (required): Any low-privilege local account is sufficient to trigger the sysfs read that exposes the vulnerability. Victim interaction (not-required): No user interaction is required; the attacker can trigger the flaw directly by reading the affected sysfs attribute. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special memory layout are required to trigger the over-read.

What is the impact of CVE-2026-46149?

Reads adjacent kernel stack memory contents and exposes them to an unprivileged sysfs reader, potentially leaking kernel pointers, function addresses, or other sensitive stack data. Triggers a kernel panic via CONFIG_FORTIFY_SOURCE when the fortify bounds check detects the out-of-bounds memcpy, crashing the affected host or container runtime. Availability of the system is fully disrupted for any workload sharing the kernel, as a panic terminates all running processes on the host.

Back to search

HIGHCVE-2026-46149Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46149: scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()

In the Linux kernel, the following vulnerability has been resolved: scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer. snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes. The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered. Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length check to avoid buffer overflow") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack buffer over-read vulnerability exists in the Linux kernel's SCSI target configfs subsystem, specifically in the tg_pt_gp_members_show() function. An attacker with a low-privilege local account can trigger the flaw by reading a sysfs attribute when a fabric WWN (such as a long iSCSI IQN name) causes snprintf() to return a value larger than the 256-byte stack buffer, leading to memcpy() reading past the buffer boundary. Successful exploitation exposes adjacent stack memory contents to the sysfs reader and can trigger a kernel panic via CONFIG_FORTIFY_SOURCE, resulting in information disclosure and denial of service. A patched-image rebuild at fix versions 6.6.140 and 6.12.88 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-46149 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in registries and CI/CD pipelines, including custom-built kernel images. Coverage extends to any image packaging an affected Linux kernel version in the ranges listed in the advisory.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.1 (HIGH) and weighting it against each environment's compliance policy to prioritize it appropriately. Triage routing directs the finding to the team inbox configured for kernel-level or infrastructure findings within each customer organization.

Available

Patch

A patched-image rebuild at Linux kernel versions 6.6.140 and 6.12.88 (commit refs 00d91bfdce50 and 1f678d13e939) becomes available on HarborGuard for any environment running an affected kernel version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target service is required.
AuthenticationRequired
Any low-privilege local account is sufficient to trigger the sysfs read that exposes the vulnerability.
Victim interactionNot required
No user interaction is required; the attacker can trigger the flaw directly by reading the affected sysfs attribute.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special memory layout are required to trigger the over-read.

Blast Radius

Reads adjacent kernel stack memory contents and exposes them to an unprivileged sysfs reader, potentially leaking kernel pointers, function addresses, or other sensitive stack data.
Triggers a kernel panic via CONFIG_FORTIFY_SOURCE when the fortify bounds check detects the out-of-bounds memcpy, crashing the affected host or container runtime.
Availability of the system is fully disrupted for any workload sharing the kernel, as a panic terminates all running processes on the host.

How HarborGuard Handles This

Available on HarborGuard: images running Linux kernel versions in the affected ranges are flagged immediately upon scan, with the finding scored at CVSS 7.1 HIGH. For customers who opt into auto-remediation, HarborGuard can rebuild affected images at the patched kernel versions (6.6.140 or 6.12.88), execute a regression test run, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual review, the finding is routed to the configured team inbox with full CVSS context and fix-version references. As a compensating control before patching, consider restricting read access to the affected sysfs path (/sys/kernel/config/target) via Linux DAC or MAC policy (such as SELinux or AppArmor) to limit exposure to the tg_pt_gp_members attribute.

See how HarborGuard automates this

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

000d91bfdce5033f5d9b4915638ae9b0553848b5d1f678d13e939f91840cb1ebe9b88544923539d3c6.6.1406.12.886.18.307.0.77.1-rc372cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e772a896a56e0e3ef9424a025cec9176f9d8f4552e501154f9d82c95d2719bcbbaf679d8fd3226ef7

Affected packages

Linux / Linux
< 1f678d13e939f91840cb1ebe9b88544923539d3c (from c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5) · < 72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e (from c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5) · < 00d91bfdce5033f5d9b4915638ae9b0553848b5d (from c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5) · < e501154f9d82c95d2719bcbbaf679d8fd3226ef7 (from c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5) · < 772a896a56e0e3ef9424a025cec9176f9d8f4552 (from c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5)
Linux / Linux
2.6.38
Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available