How is CVE-2026-46280 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required to trigger the vulnerable code path. Authentication (required): Any low-privilege local account is sufficient; the attacker does not need administrator or root credentials to reach the vulnerable file-close path. Victim interaction (not-required): No victim action is needed; the attacker triggers the fault independently by interacting with the HMM test device file. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-46280?

The attacker causes a kernel panic by dereferencing a freed dmirror struct pointer, crashing the affected host and denying service to all workloads running on it. The use-after-free condition in kernel context gives the attacker the ability to read arbitrary kernel memory, exposing secrets, credentials, or other sensitive data held in kernel space at the time of the fault. With kernel-level write access enabled by the freed memory region, the attacker can overwrite kernel data structures to escalate privileges or modify system behavior persistently. Any container or process sharing the affected kernel is exposed; isolation boundaries at the container or VM level do not prevent impact once kernel code execution is achieved.

Back to search

HIGHCVE-2026-46280Published 2026-06-08Modified 2026-06-14CNA Linux

CVE-2026-46280: lib: test_hmm: evict device pages on file close to avoid use-after-free

In the Linux kernel, the following vulnerability has been resolved: lib: test_hmm: evict device pages on file close to avoid use-after-free Patch series "Minor hmm_test fixes and cleanups". Two bugfixes a cleanup for the HMM kernel selftests. These were mostly reported by Zenghui Yu with special thanks to Lorenzo for analysing and pointing out the problems. This patch (of 3): When dmirror_fops_release() is called it frees the dmirror struct but doesn't migrate device private pages back to system memory first. This leaves those pages with a dangling zone_device_data pointer to the freed dmirror. If a subsequent fault occurs on those pages (eg. during coredump) the dmirror_devmem_fault() callback dereferences the stale pointer causing a kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64, where a test failure triggered SIGABRT and the resulting coredump walked the VMAs faulting in the stale device private pages. Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in dmirror_fops_release() to migrate all device private pages back to system memory before freeing the dmirror struct. The function is moved earlier in the file to avoid a forward declaration.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's HMM (Heterogeneous Memory Management) test module, specifically in the dmirror device driver's file-close path. The flaw is reachable locally by a low-privileged user who can trigger a fault on device private pages after the dmirror struct has been freed, for example by triggering a coredump on a failing test process. Successful exploitation causes a kernel panic via a stale pointer dereference, and can grant the attacker full read, write, and availability impact over the host kernel. A patched-image rebuild at fix versions 6.6.140 and 6.12.86 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-46280 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built kernel images, in connected registries and CI/CD pipelines. Images carrying an affected Linux kernel version are flagged automatically without requiring manual configuration.

Available

Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH (v3.1) and is capable of weighting that score against each customer environment's compliance policy to determine escalation priority. Triage results are routable to the appropriate team inbox within each customer org based on policy-defined severity thresholds and image ownership rules.

Available

Patch

A patched-image rebuild at Linux kernel versions 6.6.140 and 6.12.86 is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required to trigger the vulnerable code path.
AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrator or root credentials to reach the vulnerable file-close path.
Victim interactionNot required
No victim action is needed; the attacker triggers the fault independently by interacting with the HMM test device file.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

The attacker causes a kernel panic by dereferencing a freed dmirror struct pointer, crashing the affected host and denying service to all workloads running on it.
The use-after-free condition in kernel context gives the attacker the ability to read arbitrary kernel memory, exposing secrets, credentials, or other sensitive data held in kernel space at the time of the fault.
With kernel-level write access enabled by the freed memory region, the attacker can overwrite kernel data structures to escalate privileges or modify system behavior persistently.
Any container or process sharing the affected kernel is exposed; isolation boundaries at the container or VM level do not prevent impact once kernel code execution is achieved.

How HarborGuard Handles This

Available on HarborGuard: detection runs automatically against all images in connected registries and pipelines, flagging any image that packages a Linux kernel version below 6.6.140 or 6.12.86 on affected branch lines. For customers who opt into auto-remediation, HarborGuard can trigger a patched-image rebuild at the fixed kernel version, execute a regression test run, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval before remediation, the CVE will appear in the priority triage queue scored at CVSS 7.8 HIGH with full vector detail, ready for engineer review and sign-off.

See how HarborGuard automates this

Fix available

038f113f81d3f0adc658a4475dd3ecaec985e21d35846715b6382dd4c6a69b35a56ca6115d33bc2a06.6.1406.12.866.18.277.0.47.1-rc1744dd97752ef1076a8d8672bb0d8aa2c7abc11449de1eb0aac2862d6144b8db0ec1388e79f8bc3e1bf477abd448c76bb8ea51c9b4f63a3a17c4b6239

Affected packages

Linux / Linux
< bf477abd448c76bb8ea51c9b4f63a3a17c4b6239 (from b2ef9f5a5cb37643ca5def3516c546457074b882) · < 5846715b6382dd4c6a69b35a56ca6115d33bc2a0 (from b2ef9f5a5cb37643ca5def3516c546457074b882) · < 38f113f81d3f0adc658a4475dd3ecaec985e21d3 (from b2ef9f5a5cb37643ca5def3516c546457074b882) · < 9de1eb0aac2862d6144b8db0ec1388e79f8bc3e1 (from b2ef9f5a5cb37643ca5def3516c546457074b882) · < 744dd97752ef1076a8d8672bb0d8aa2c7abc1144 (from b2ef9f5a5cb37643ca5def3516c546457074b882)
Linux / Linux
5.8
Fixed in 0, 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available