HarborGuard / CVE
Back to search
HIGHCVE-2026-46190Published Modified CNA Linux

CVE-2026-46190: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Sashiko noticed an out-of-bounds read [1]. In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names). Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers (element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended. Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count. Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An out-of-bounds read vulnerability exists in the Linux kernel's SPI NOR flash debugfs subsystem, specifically in the spi_nor_params_show() function. An attacker with a low-privilege local account can trigger the flaw by causing flag-bit evaluation to walk past the end of the snor_f_names pointer array, which is incorrectly sized using sizeof() instead of ARRAY_SIZE(). Successful exploitation allows the attacker to read arbitrary kernel memory and disrupt the affected kernel subsystem. Patched-image rebuilds at fix versions 6.6.140, 6.12.88, and 6.18.30 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle affected kernel versions.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.1 (HIGH) and weighting it against each environment's per-org compliance policy, then routing the finding to the appropriate team inbox within the customer organization.

Available
Patch

A patched-image rebuild at the applicable fix version (6.6.140, 6.12.88, or 6.18.30) becomes available on HarborGuard once the upstream fix is confirmed for the base image in use. For customers who opt into auto-remediation, the platform performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required to trigger the vulnerable code path.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker does not need administrative or root-level credentials to reach the debugfs interface.

  • Victim interactionNot required

    No user interaction is needed; the attacker can trigger the out-of-bounds read directly without social engineering or victim participation.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory-layout luck, or other environmental factors.

Blast Radius

  • Reads kernel memory contents beyond the intended array boundary, which may expose internal kernel pointers, flag values, or adjacent data structures.
  • Crashes or destabilizes the SPI NOR debugfs subsystem, causing denial-of-service for processes or tools that rely on that kernel interface.
  • On 64-bit systems the effective over-read window is up to 8x the intended array size, widening the range of potentially exposed kernel memory.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image running a Linux kernel version in the affected range. For environments pinned to kernel 6.6.x, 6.12.x, or 6.18.x, a patched-image rebuild at the corresponding fix version is available as soon as the base image reflects the upstream commit. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes the configured regression suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the configured team inbox with CVSS scoring and affected-layer detail attached for manual review.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

034bdcfb496b29f9a52431194f94473b37fb8c1626.6.1406.12.886.18.307.0.77.1-rc29a80c458320e0514e11945402dd6e48fcee05524c0b654bc0b76a1da102d9138be1ed1223bd99310ca18c180b053f6ce80394322b314ac721c316af7e47029b977e747cb3a9174308fd55762cce70147
Affected packages
  • Linux / Linux
    < 9a80c458320e0514e11945402dd6e48fcee05524 (from 0257be79fc4a16a3252ce80aa13b3640f728c425) · < ca18c180b053f6ce80394322b314ac721c316af7 (from 0257be79fc4a16a3252ce80aa13b3640f728c425) · < 34bdcfb496b29f9a52431194f94473b37fb8c162 (from 0257be79fc4a16a3252ce80aa13b3640f728c425) · < c0b654bc0b76a1da102d9138be1ed1223bd99310 (from 0257be79fc4a16a3252ce80aa13b3640f728c425) · < e47029b977e747cb3a9174308fd55762cce70147 (from 0257be79fc4a16a3252ce80aa13b3640f728c425)
  • Linux / Linux
    5.19
    Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc2
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
References