How is CVE-2026-46259 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required. Authentication (required): Any low-privilege local account is sufficient to trigger the race condition via repeated reads of /proc/[pid]/stat. Victim interaction (not-required): No user interaction is needed; the attacker can trigger the race condition entirely on their own. Attack complexity (info): Attack complexity is rated Low, meaning the race window is reliably exploitable without requiring special memory layout, timing precision beyond a standard race loop, or other environmental preconditions.

What is the impact of CVE-2026-46259?

A successful attacker reads arbitrary kernel memory, exposing credentials, cryptographic keys, and other sensitive data held in kernel structures. The attacker writes to freed kernel memory, corrupting kernel data structures and enabling privilege escalation to root. The corrupted kernel state can crash the host, taking down all containers and workloads running on the affected node. Because the bug lives in the kernel shared by all containers on a node, a compromised container could affect workloads belonging to other tenants on the same host.

Back to search

HIGHCVE-2026-46259Published 2026-06-03Modified 2026-06-05CNA Linux

CVE-2026-46259: procfs: fix missing RCU protection when reading real_parent in do_task_stat()

In the Linux kernel, the following vulnerability has been resolved: procfs: fix missing RCU protection when reading real_parent in do_task_stat() When reading /proc/[pid]/stat, do_task_stat() accesses task->real_parent without proper RCU protection, which leads to: cpu 0 cpu 1 ----- ----- do_task_stat var = task->real_parent release_task call_rcu(delayed_put_task_struct) task_tgid_nr_ns(var) rcu_read_lock <--- Too late to protect task->real_parent! task_pid_ptr <--- UAF! rcu_read_unlock This patch uses task_ppid_nr_ns() instead of task_tgid_nr_ns() to add proper RCU protection for accessing task->real_parent.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

A use-after-free bug in the Linux kernel's procfs subsystem allows a local attacker to exploit a race condition when reading /proc/[pid]/stat. The vulnerability is reachable locally and requires only a low-privilege account, with no victim interaction needed. Successful exploitation gives the attacker full read, write, and crash capability over the affected kernel, including arbitrary memory reads of sensitive data, memory corruption, and a kernel crash. Patched-image rebuilds at the fix commits (including the 5.10.252 stable release) are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46259 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle affected Linux kernel versions.

Available

Triage

HarborGuard scores this CVE at CVSS 7.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing; findings are delivered to the appropriate team inbox within each customer organization without manual intervention.

Available

Patch

A patched-image rebuild pinned to kernel 5.10.252 or the relevant upstream fix commits becomes available on HarborGuard once the upstream fix is confirmed in a customer's base image. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes a regression test pass, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
AuthenticationRequired
Any low-privilege local account is sufficient to trigger the race condition via repeated reads of /proc/[pid]/stat.
Victim interactionNot required
No user interaction is needed; the attacker can trigger the race condition entirely on their own.
Attack complexityDetail
Attack complexity is rated Low, meaning the race window is reliably exploitable without requiring special memory layout, timing precision beyond a standard race loop, or other environmental preconditions.

Blast Radius

A successful attacker reads arbitrary kernel memory, exposing credentials, cryptographic keys, and other sensitive data held in kernel structures.
The attacker writes to freed kernel memory, corrupting kernel data structures and enabling privilege escalation to root.
The corrupted kernel state can crash the host, taking down all containers and workloads running on the affected node.
Because the bug lives in the kernel shared by all containers on a node, a compromised container could affect workloads belonging to other tenants on the same host.

How HarborGuard Handles This

Available on HarborGuard: images built on Linux kernel versions prior to the fix commits are flagged immediately upon scan. Where a customer's base image has been updated to kernel 5.10.252 or a commit that includes the upstream fix, a patched rebuild becomes available in the HarborGuard pipeline. For customers who opt into auto-remediation, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. Until a base-image upgrade is possible, compensating controls include restricting /proc access inside containers via seccomp or AppArmor profiles that deny reads of /proc/[pid]/stat for untrusted processes, applying strict pod security policies to prevent low-privilege containers from running on sensitive nodes, and isolating multi-tenant node pools so a compromise in one workload cannot reach adjacent workloads. HarborGuard re-checks the advisory on every ingest cycle and will surface the patched rebuild automatically as updated kernel images become available.

See how HarborGuard automates this

Fix available

00e64bd46a04a4fd61279aca9f53a664e9e5f7e7e1c8dc5b5517546c68ffae40b948336122bb613064f9ae386861e280b7631ca252f798d25575627ee5.10.2525.15.2026.1.1656.6.1286.12.756.18.146.19.47.073ec7c96601d61d52310c659145bb06d933a0fa676149d53502cf17ef3ae454ff384551236fba867c93a33f28f915d446eea6fb3f0e1def0b3af1982dd8b13cb4ff1a4545a214ed897fdf2bc341155b6fefa0fcd78be465b7ad4c497fa6ec90d64194c04

Affected packages

Linux / Linux
< fefa0fcd78be465b7ad4c497fa6ec90d64194c04 (from 06fffb1267c9d986687b69d74a46ee332a50575e) · < c93a33f28f915d446eea6fb3f0e1def0b3af1982 (from 06fffb1267c9d986687b69d74a46ee332a50575e) · < 1c8dc5b5517546c68ffae40b948336122bb61306 (from 06fffb1267c9d986687b69d74a46ee332a50575e) · < 0e64bd46a04a4fd61279aca9f53a664e9e5f7e7e (from 06fffb1267c9d986687b69d74a46ee332a50575e) · < 73ec7c96601d61d52310c659145bb06d933a0fa6 (from 06fffb1267c9d986687b69d74a46ee332a50575e) · < 4f9ae386861e280b7631ca252f798d25575627ee (from 06fffb1267c9d986687b69d74a46ee332a50575e)
Linux / Linux
2.6.26
Fixed in 0, 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available