HarborGuard / CVE
Back to search
HIGHCVE-2026-46150Published Modified CNA Linux

CVE-2026-46150: fanotify: fix false positive on permission events

In the Linux kernel, the following vulnerability has been resolved: fanotify: fix false positive on permission events fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check. Fix by skipping over detached marks that are not in the current group.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A permission-check bypass vulnerability exists in the Linux kernel's fanotify subsystem, affecting kernel versions prior to the fix commits across the 6.6, 6.12, 6.18, and 7.0 stable trees. The bug is reachable locally by any low-privilege user with an existing shell on the host; no network access or victim interaction is needed. Successful exploitation allows an attacker to read files and modify data that should have been blocked by fanotify permission event checks. Patched-image rebuilds at versions 6.6.140, 6.12.88, 6.18.30, and 7.0.7 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected kernel version. Both registry scans and in-pipeline image checks are covered.

Available
Triage

HarborGuard scores this CVE at CVSS 7.1 (High) using the published v3.1 vector and weights it against each environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at the applicable fix version (6.6.140, 6.12.88, 6.18.30, or 7.0.7, depending on the kernel branch in use) becomes available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes a regression test pass, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access is required to trigger the fanotify permission bypass.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker does not need administrative or root credentials to exploit the bypass.

  • Victim interactionNot required

    No user interaction is needed; the attacker can trigger the vulnerable code path entirely on their own.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory-layout randomization, or other environmental preconditions.

Blast Radius

  • Reads files whose access should have been denied by fanotify permission event checks, including sensitive configuration files, secrets, or application data on the host.
  • Modifies files or data that fanotify permission hooks were intended to block, potentially corrupting application state or injecting malicious content into monitored paths.
  • Bypasses security tools (such as antivirus or audit daemons) that rely on fanotify permission events to intercept and approve or deny file operations.

How HarborGuard Handles This

Available on HarborGuard: images running Linux kernels in the affected version ranges are flagged automatically within minutes of CVE ingestion, covering both pulled base images and custom-built images that bundle a vulnerable kernel. For customers who opt into auto-remediation, HarborGuard selects the correct fix branch (6.6.140, 6.12.88, 6.18.30, or 7.0.7) based on the kernel lineage present in the image, triggers a rebuild, runs a regression test pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual sign-off, the rebuilt image and test results are staged and surfaced in the remediation queue for team review. Because the bypass is local and requires only a low-privilege account, prioritization is recommended for multi-tenant hosts, container environments with shared kernels, and any host where fanotify-based security tooling is part of the access-control boundary.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

06.6.1406.12.886.18.307.0.77.1-rc27746e3bd4cc19b5092e00d32d676e329bfcb69007baa02b0ae9d17ec5f08836d8ea88ce1927d0678895ebbedf88318607c24acc0f591c74b165e1d0ab7b24b28c8cd55844cab908f4f39dded638d5538f130790f1acc8399f32652846c875a251efd040f
Affected packages
  • Linux / Linux
    < 895ebbedf88318607c24acc0f591c74b165e1d0a (from abc77577a669f424c5d0c185b9994f2621c52aa4) · < f130790f1acc8399f32652846c875a251efd040f (from abc77577a669f424c5d0c185b9994f2621c52aa4) · < 7baa02b0ae9d17ec5f08836d8ea88ce1927d0678 (from abc77577a669f424c5d0c185b9994f2621c52aa4) · < b7b24b28c8cd55844cab908f4f39dded638d5538 (from abc77577a669f424c5d0c185b9994f2621c52aa4) · < 7746e3bd4cc19b5092e00d32d676e329bfcb6900 (from abc77577a669f424c5d0c185b9994f2621c52aa4)
  • Linux / Linux
    4.12
    Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc2
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References