HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46289Published Modified CNA Linux

CVE-2026-46289: lib/scatterlist: fix length calculations in extract_kvec_to_sg

In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series "Fix bugs in extract_iter_to_sg()", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A length-calculation error in the Linux kernel's scatterlist library (lib/scatterlist, function extract_kvec_to_sg) allows a remote, unauthenticated attacker to exploit an out-of-bounds memory condition over the network. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the service is reachable directly over the network with no credentials or user interaction required. Successful exploitation gives an attacker full read, write, and crash capability against the affected system. Patched-image rebuilds at versions 6.6.140 and 6.12.88 (and the corresponding upstream commit refs) are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46289 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that carry affected kernel versions. Any image in a connected registry or CI pipeline that includes a Linux kernel in the 6.3-through-6.6.139 or 6.3-through-6.12.87 range is flagged automatically.

Available
Triage

HarborGuard surfaces CVE-2026-46289 with its CVSS v3.1 score of 9.8 (Critical), applying per-environment compliance policy weights to prioritize it against each customer org's risk thresholds. Triage routing is available to direct the finding to the team inbox or ticketing integration configured for the affected workload.

Available
Patch

A patched-image rebuild at kernel versions 6.6.140 and 6.12.88 becomes available on HarborGuard once an upstream base image incorporating those fixes is published. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the new image, and open a PR against affected workloads automatically, with a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The CVSS vector specifies AV:N, meaning an attacker must be able to reach the vulnerable service over the network; no local or physical access is assumed.

  • AuthenticationNot required

    PR:N indicates no credentials of any privilege level are needed to trigger the vulnerability.

  • Victim interactionNot required

    UI:N means the attacker does not rely on any action by a logged-in user or administrator to complete the exploit.

  • Attack complexityDetail

    AC:L indicates the exploit is reliable and condition-free, requiring no race conditions, specific memory layouts, or other environmental factors.

Blast Radius

  • A successful attacker reads arbitrary kernel memory, exposing cryptographic keys, session tokens, and sensitive data held in kernel buffers.
  • A successful attacker writes to kernel memory, allowing modification of kernel data structures, privilege escalation, or injection of attacker-controlled content into kernel operations.
  • A successful attacker crashes the affected kernel, taking down all services and workloads running on the host.

How HarborGuard Handles This

Available on HarborGuard: images containing an affected Linux kernel version are matched against CVE-2026-46289 at ingestion time, with no manual feed configuration required. Where a customer's base image has been updated to a distribution release carrying kernel 6.6.140, 6.12.88, or one of the upstream fix commits (07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45 or 3f17500e86d730c76db638bb3ae52f9b5e496c76), a patched-image rebuild becomes available immediately. For customers who opt into auto-remediation, the full flow, rebuild plus regression run plus PR opened against affected workloads, is available with a median turnaround of around 90 minutes for Critical-severity issues. Where compliance policy does not permit auto-remediation, the finding is routed to the configured team inbox with the CVSS 9.8 score and affected image list attached. Given that this bug is exploitable without authentication from the network and carries full confidentiality, integrity, and availability impact, prioritizing rapid patch application or isolating affected workloads behind strict network policy until patched images are deployed is strongly advised.

See how HarborGuard automates this

Fix available

007b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c453f17500e86d730c76db638bb3ae52f9b5e496c766.6.1406.12.886.18.307.0.77.1-rc18fbba6829057979149d1b37d65690c037f3ddf4d9d38756d0a93b66163554219fa9c3365f40c4035e5e22fc9963469e678c4f4bb38d26adcec107f1e
Affected packages
  • Linux / Linux
    < 3f17500e86d730c76db638bb3ae52f9b5e496c76 (from 0185846975339a5c348373aa450a977f5242366b) · < e5e22fc9963469e678c4f4bb38d26adcec107f1e (from 0185846975339a5c348373aa450a977f5242366b) · < 8fbba6829057979149d1b37d65690c037f3ddf4d (from 0185846975339a5c348373aa450a977f5242366b) · < 9d38756d0a93b66163554219fa9c3365f40c4035 (from 0185846975339a5c348373aa450a977f5242366b) · < 07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45 (from 0185846975339a5c348373aa450a977f5242366b)
  • Linux / Linux
    6.3
    Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References