How is CVE-2026-46237 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the vulnerable component is required. Authentication (required): Any low-privilege local account is sufficient to reach the vulnerable DRM device node; no elevated or administrative privileges are needed. Victim interaction (not-required): No user interaction is required; the attacker can trigger the overflow entirely through their own process. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special memory layout requirements need to be satisfied.

What is the impact of CVE-2026-46237?

A successful attacker reads kernel memory contents accessible through the overflowed bounds check, which may include sensitive data from other processes or kernel structures such as credentials and keys. The overflow can corrupt kernel state in a way that crashes the affected host, causing a full denial of service for all workloads running on that node.

Back to search

HIGHCVE-2026-46237Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46237: drm/amdgpu/vcn3: Avoid overflow on msg bound check

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn3: Avoid overflow on msg bound check As pointed out by SDL, the previous condition may be vulnerable to overflow. (cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10)

HarborGuard Analysis

HarborGuard analysis

Synopsis

An integer overflow vulnerability exists in the Linux kernel's amdgpu VCN3 video codec driver, specifically in the message bounds-checking logic. The flaw is reachable locally by a low-privileged user who has access to the affected DRM device node, with no network exposure required. Successful exploitation allows an attacker to read sensitive kernel memory and trigger a system crash or denial of service. A patched-image rebuild at the fix versions is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46237 is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel security feeds within minutes of publication and matched against customer images, including custom-built images that package an affected kernel version.

Available

Triage

Triage is available with the CVSS v3.1 score of 7.1 (HIGH) applied to each matched image, weighted against per-environment compliance policies; findings are routed to the appropriate team inbox within each customer organization based on configured severity thresholds.

Available

Patch

A patched-image rebuild at the upstream fix commits is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the vulnerable component is required.
AuthenticationRequired
Any low-privilege local account is sufficient to reach the vulnerable DRM device node; no elevated or administrative privileges are needed.
Victim interactionNot required
No user interaction is required; the attacker can trigger the overflow entirely through their own process.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special memory layout requirements need to be satisfied.

Blast Radius

A successful attacker reads kernel memory contents accessible through the overflowed bounds check, which may include sensitive data from other processes or kernel structures such as credentials and keys.
The overflow can corrupt kernel state in a way that crashes the affected host, causing a full denial of service for all workloads running on that node.

How HarborGuard Handles This

Available on HarborGuard: detection is matched against any image that packages an affected Linux kernel version (all ranges listed in the advisory). Where compliance policy permits, a rebuilt image pinned to the patched commit is prepared automatically. For customers who opt into auto-remediation, the flow includes a rebuilt image, a regression-test run, and a pull request opened against affected workloads, with a median time to merged patch PR of around 90 minutes for high-severity issues. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with the specific affected kernel range and fix commit references so engineering teams can prioritize the upgrade manually. Because the fix is already published upstream, no compensating-control holdover period is expected, but teams unable to upgrade immediately should consider restricting unprivileged access to DRM device nodes via Linux device cgroup rules as a short-term mitigation.

See how HarborGuard automates this

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

0016b64a0313ea5346cf526e30c8d3e66aca101751936310f68c54be961de38ac539cef9b543207cb2e43b66fceacd6e982b94f2e3f8b34edd74633967.1-rc2e6e9faba8100628990cccd13f0f044a648c303cfe8124121b79ab5d32fa8fbbd101f7208eca9cd7d

Affected packages

Linux / Linux
< 1936310f68c54be961de38ac539cef9b543207cb (from 638d3e0b9eb77aa53fdd60e2b928761d16ba76fa) · < e8124121b79ab5d32fa8fbbd101f7208eca9cd7d (from 870c8738c3774336baedddd0240951d078a703b8) · < 016b64a0313ea5346cf526e30c8d3e66aca10175 (from 638e48ee39d0f2af9336f917a6f5d6692dd64d93) · < 2e43b66fceacd6e982b94f2e3f8b34edd7463396 (from e382e0b81a3e7bd21504fee1d01ae8b08f84d3a7) · < e6e9faba8100628990cccd13f0f044a648c303cf (from b193019860d61e92da395eae2011f2f6716b182f)
Linux / Linux
7.1-rc1
Fixed in 0, 7.1-rc2

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available