HarborGuard / CVE
Back to search
HIGHCVE-2026-46204Published Modified CNA Linux

CVE-2026-46204: drm/amdgpu/vcn4: Prevent OOB reads when parsing IB

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn4: Prevent OOB reads when parsing IB Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An out-of-bounds read vulnerability exists in the Linux kernel's amdgpu DRM driver, specifically in the VCN4 component responsible for parsing Indirect Buffers (IBs). The flaw is reachable locally by a low-privilege user with an existing account on the host, requiring no network access or user interaction, as described by the CVSS vector. Successful exploitation allows an attacker to read sensitive memory contents and trigger a system crash, resulting in both information disclosure and a denial of service. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46204 is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel security feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images that bundle their own kernel or kernel modules. Images derived from affected kernel versions are flagged automatically without any manual configuration.

Available
Triage

HarborGuard scores this CVE at 7.1 HIGH using the published CVSS v3.1 vector and weights it against each customer environment's active compliance policy to determine urgency and routing. Findings are delivered to the team or inbox configured for kernel-level issues within the customer organization, reducing time spent triaging undifferentiated alert queues.

Available
Patch

A patched-image rebuild targeting the fixed kernel commits (including the stable 6.6.140 tag) is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test pass, and opens a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the vulnerable component is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to reach the vulnerable IB parsing code path in the amdgpu driver.

  • Victim interactionNot required

    No action from another user or administrator is needed; the attacker can trigger the bug independently.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race wins, or memory-layout dependencies.

Blast Radius

  • Reads kernel memory contents that the low-privilege attacker would not normally have access to, which may include in-flight data, session tokens, or other process memory.
  • Crashes the affected system or kernel component, forcing a reboot and interrupting all workloads running on that host.
  • On a multi-tenant host (for example, a shared Kubernetes node), a crash caused by one container affects every other workload co-located on the same node.

How HarborGuard Handles This

Available on HarborGuard: detection is matched continuously against customer images as new layers are pushed or base images are updated, so any image incorporating an affected Linux kernel version is flagged within minutes of the CVE entering the feed. For customers who opt into auto-remediation, a rebuilt image at the patched kernel version (6.6.140 or the equivalent upstream commit) is generated, a regression test run is executed, and a pull request is opened against affected workloads; median time from publication to merged PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where auto-remediation is not permitted by compliance policy, the finding is surfaced in the triage queue with the recommended target version clearly noted so engineers can act manually. Because this vulnerability requires a local foothold, customers who cannot immediately patch are advised to apply strict container security contexts (for example, disabling unnecessary device access and limiting which users can interact with DRM devices) as a compensating control while the rebuild is prepared.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

01dc005775fb5b3f86464406452b17364f85581d32444eb0ec8283f4a3845eb7febad378476e1ba3c5c3e8ebad0c9e2354ddfa8f2148dc4f70a3b4bd16.6.1406.12.906.18.327.0.97.1-rc1a6d5563ba1f03a049561cd347574613167294e8dd0802a8877d730260d4af4dd4e0b6cde7e0e593f
Affected packages
  • Linux / Linux
    < 1dc005775fb5b3f86464406452b17364f85581d3 (from 0b15205c7325dc20b7da0068307670d222d66949) · < d0802a8877d730260d4af4dd4e0b6cde7e0e593f (from 0b15205c7325dc20b7da0068307670d222d66949) · < a6d5563ba1f03a049561cd347574613167294e8d (from 0b15205c7325dc20b7da0068307670d222d66949) · < 5c3e8ebad0c9e2354ddfa8f2148dc4f70a3b4bd1 (from 0b15205c7325dc20b7da0068307670d222d66949) · < 2444eb0ec8283f4a3845eb7febad378476e1ba3c (from 0b15205c7325dc20b7da0068307670d222d66949)
  • Linux / Linux
    6.0
    Fixed in 0, 6.6.140, 6.12.90, 6.18.32, 7.0.9, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
References