HarborGuard / CVE
Back to search
HIGHCVE-2026-46205Published Modified CNA Linux

CVE-2026-46205: staging: media: atomisp: Disallow all private IOCTLs

In the Linux kernel, the following vulnerability has been resolved: staging: media: atomisp: Disallow all private IOCTLs Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a privilege-escalation vulnerability in the Linux kernel's staging atomisp (Intel Atom ISP) media driver. A local attacker with a low-privilege account can invoke private IOCTL commands that bypass expected access controls, reaching unsafe kernel code paths. Successful exploitation gives the attacker full read, write, and crash capability over the affected kernel, enabling data theft, data tampering, or a complete system denial of service. Patched-image rebuilds at the fix versions (6.6.140, 6.12.90, 6.18.32, and the associated upstream commits) are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built kernel or base images that package an affected Linux version. Images in both registry scans and active CI/CD pipeline scans are covered.

Available
Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox inside each customer organization based on configured policy rules.

Available
Patch

A patched-image rebuild at fix versions 6.6.140, 6.12.90, or 6.18.32 (whichever applies to the base image in question) is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to invoke the vulnerable IOCTL interface; no elevated or administrative credentials are needed.

  • Victim interactionNot required

    No user interaction is required; the attacker can trigger the vulnerability entirely on their own.

  • Attack complexityDetail

    Exploit reliability is high: no race conditions, memory-layout dependencies, or other environmental factors need to be satisfied for the attack to succeed.

Blast Radius

  • A successful attacker reads arbitrary kernel memory, exposing stored credentials, session tokens, and sensitive process data from other users or containers on the host.
  • The attacker writes to arbitrary kernel memory, allowing modification of security controls, process credentials, or persisted data on attached storage.
  • The attacker can crash the kernel entirely, taking down all workloads running on the affected node and causing a full denial of service.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication and matches images across registries and pipelines, including custom kernel-carrying base images. For environments running Linux kernels prior to 6.6.140, 6.12.90, or 6.18.32, a patched-image rebuild becomes available as soon as the fix version is confirmed against the scanned image manifest. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, executes a regression run, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy restricts auto-remediation, the finding is routed to the designated team inbox with CVSS context and fix-version details attached. Because this vulnerability requires local access, compensating controls such as restricting shell access to container hosts, enforcing strict pod security admission policies, and limiting access to /dev device nodes can reduce exposure while patching is scheduled.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

02b7eb2c5dc72f0fc954ac4aa155f9e285e937f7c6.6.1406.12.906.18.326850a439f8d23d4979624f1d6880d3118d473a286f1ce75a75c65061e7a720c3d0ee5f8adab7a2d37.0.97.1-rc18c7a281a99224a5b9af99c4dcd98d68eea75926cc7848b67ef10f581114b6a2f52b160fc20eb52c9
Affected packages
  • Linux / Linux
    < 8c7a281a99224a5b9af99c4dcd98d68eea75926c (from a49d25364dfb9f8a64037488a39ab1f56c5fa419) · < 6f1ce75a75c65061e7a720c3d0ee5f8adab7a2d3 (from a49d25364dfb9f8a64037488a39ab1f56c5fa419) · < c7848b67ef10f581114b6a2f52b160fc20eb52c9 (from a49d25364dfb9f8a64037488a39ab1f56c5fa419) · < 6850a439f8d23d4979624f1d6880d3118d473a28 (from a49d25364dfb9f8a64037488a39ab1f56c5fa419) · < 2b7eb2c5dc72f0fc954ac4aa155f9e285e937f7c (from a49d25364dfb9f8a64037488a39ab1f56c5fa419)
  • Linux / Linux
    4.12
    Fixed in 0, 6.6.140, 6.12.90, 6.18.32, 7.0.9, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References