How is CVE-2026-46277 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the vulnerable service is required. Authentication (required): Any low-privilege local account is sufficient to attempt exploitation; no administrative credentials are needed. Victim interaction (not-required): No victim action is required; the attacker can trigger the use-after-free entirely through their own process activity. Attack complexity (info): The exploit is reliable and condition-free once local access is established; no race conditions or specific memory layout dependencies are specified by the CVSS vector.

What is the impact of CVE-2026-46277?

Reads arbitrary kernel memory, exposing secrets such as credentials, cryptographic keys, and session tokens held in kernel space. Writes to arbitrary kernel memory, allowing modification of security policies, process credentials, or persisted data structures. Crashes the affected host entirely, disrupting all workloads running on the node. Achieves kernel-level code execution, bypassing container isolation boundaries and potentially escaping to the underlying host.

Back to search

HIGHCVE-2026-46277Published 2026-06-08Modified 2026-06-14CNA Linux

CVE-2026-46277: mm/zone_device: do not touch device folio after calling ->folio_free()

In the Linux kernel, the following vulnerability has been resolved: mm/zone_device: do not touch device folio after calling ->folio_free() The contents of a device folio can immediately change after calling ->folio_free(), as the folio may be reallocated by a driver with a different order. Instead of touching the folio again to extract the pgmap, use the local stack variable when calling percpu_ref_put_many().

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's mm/zone_device memory management subsystem. An attacker with a local shell on the host can trigger the flaw without any user interaction, exploiting a window where a device folio is accessed after it has already been freed and potentially reallocated by a driver. Successful exploitation gives the attacker full read, write, and crash capability over the affected system. A patched-image rebuild at the fix versions is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46277 is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle their own kernel or kernel modules.

Available

Triage

HarborGuard scores this CVE at CVSS 7.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage results are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to the fix commits (39928984956037cabd304321cb8f342e47421db5, 85be0a262e39c706edb53c88af8afde2e98222ba) and tagged releases (7.0.4, 7.1-rc1) is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the vulnerable service is required.
AuthenticationRequired
Any low-privilege local account is sufficient to attempt exploitation; no administrative credentials are needed.
Victim interactionNot required
No victim action is required; the attacker can trigger the use-after-free entirely through their own process activity.
Attack complexityDetail
The exploit is reliable and condition-free once local access is established; no race conditions or specific memory layout dependencies are specified by the CVSS vector.

Blast Radius

Reads arbitrary kernel memory, exposing secrets such as credentials, cryptographic keys, and session tokens held in kernel space.
Writes to arbitrary kernel memory, allowing modification of security policies, process credentials, or persisted data structures.
Crashes the affected host entirely, disrupting all workloads running on the node.
Achieves kernel-level code execution, bypassing container isolation boundaries and potentially escaping to the underlying host.

How HarborGuard Handles This

Available on HarborGuard: images affected by CVE-2026-46277 are flagged automatically within minutes of the CVE entering upstream feeds. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched kernel version, runs a regression test suite, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuild artifact is staged and the pull request is held for engineer sign-off. Regardless of auto-remediation setting, the triage card for this CVE is routed to the owning team with CVSS score, affected image list, and fix-version details attached.

See how HarborGuard automates this

Fix available

039928984956037cabd304321cb8f342e47421db57.0.47.1-rc185be0a262e39c706edb53c88af8afde2e98222ba

Affected packages

Linux / Linux
< 85be0a262e39c706edb53c88af8afde2e98222ba (from d245f9b4ab806733a77e51a218ca7b8bc3135cd9) · < 39928984956037cabd304321cb8f342e47421db5 (from d245f9b4ab806733a77e51a218ca7b8bc3135cd9)
Linux / Linux
6.19
Fixed in 0, 7.0.4, 7.1-rc1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available