HarborGuard / CVE
Back to search
HIGHCVE-2026-46174Published Modified CNA Linux

CVE-2026-46174: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache

In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a CPU microarchitecture isolation flaw in the Linux kernel affecting AMD Zen2 processors. A local attacker with a low-privilege account can exploit improper resource sharing in the Zen2 op cache (the CPU's micro-op decode cache) to corrupt instructions being executed by other processes or virtual machines on the same physical host. Successful exploitation allows an attacker to read sensitive data, tamper with execution, or crash affected workloads running on the same CPU. Patched-image rebuilds at the fix commits are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected Linux kernel version. Any image carrying a kernel package in the vulnerable range is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on policy configuration.

Available
Patch

A patched-image rebuild against the fix commits is available on HarborGuard for images confirmed to carry an affected kernel version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; for HIGH-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; no administrative or elevated credentials are needed.

  • Victim interactionNot required

    No action by another user or victim is needed; the attacker can exploit the flaw entirely on their own.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layouts, or other variable environmental factors.

Blast Radius

  • Reads protected memory from other processes or guest VMs sharing the same physical CPU core, including secrets, session tokens, or cryptographic key material.
  • Corrupts instructions being decoded by co-located workloads, enabling tampering with their execution flow or persisted state.
  • Crashes affected processes or guest VMs through instruction corruption, causing service disruption on the host.
  • Because the scope is changed (S:C in the CVSS vector), impact extends beyond the attacker's own process boundary to other security contexts on the same physical host.

How HarborGuard Handles This

Available on HarborGuard: images carrying a Linux kernel in the affected version ranges are identified automatically as part of each ingest cycle. Where compliance policy permits, auto-remediation rebuilds the image at a patched commit, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues the median time to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS scoring and fix-version guidance so teams can act manually. Because this is a host-kernel vulnerability, customers running container workloads on bare-metal or VM hosts with Zen2 CPUs should prioritize patching the underlying node kernel, not only the container image layer; HarborGuard flags both the base image kernel package and any custom layers that bundle a kernel.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

01cd85a19748b2407830376a5cbae5c0f126016e51e23b30a80b14e5764657401ee2cca030525ae8e251497955f2314cd39d43191e81c6151dead4c7b28f5ed477eef166d678d6966762cbc1de9b4f4363.174.54.105.10.2565.15.2076.1.1736.6.1396.12.886.18.307.0.77.1-rc49109489cc8c34e50d15575a3d1ff82af586bc1aac21b90f77687075115d989e53a8ec5e2bb427ab1f5bc3aef7df46eaaf423d7413ab8833f704ae576ff6fc65b3bf73acc5ee71919154d830ad5431362
Affected packages
  • Linux / Linux
    < 1e23b30a80b14e5764657401ee2cca030525ae8e (from f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9) · < f5bc3aef7df46eaaf423d7413ab8833f704ae576 (from f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9) · < 251497955f2314cd39d43191e81c6151dead4c7b (from f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9) · < ff6fc65b3bf73acc5ee71919154d830ad5431362 (from f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9) · < 9109489cc8c34e50d15575a3d1ff82af586bc1aa (from f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9) · < 28f5ed477eef166d678d6966762cbc1de9b4f436 (from f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9)
  • Linux / Linux
    4.14
    Fixed in 0, 5.10.256, 5.15.207, 6.1.173, 6.6.139, 6.12.88, 6.18.30, 7.0.7, 7.1-rc4
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References