How is CVE-2026-46319 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required to trigger the vulnerability. Authentication (required): Any low-privilege local account is sufficient to reach the vulnerable code path in the act_ct module. Victim interaction (not-required): No user interaction is needed; the attacker can trigger the race condition entirely on their own. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race windows, specific memory layouts, or other hard-to-control environmental factors beyond local access.

What is the impact of CVE-2026-46319?

An attacker reads arbitrary kernel memory, exposing credentials, session tokens, and sensitive data held in kernel space. An attacker writes to arbitrary kernel memory, modifying security policies, privilege tables, or other kernel structures. The use-after-free can crash the kernel, taking down the host and all containers running on it. By corrupting kernel data structures, an attacker escalates from a low-privilege local user to full root privileges on the affected host.

Back to search

HIGHCVE-2026-46319Published 2026-06-09Modified 2026-06-14CNA Linux

CVE-2026-46319: net/sched: act_ct: Only release RCU read lock after ct_ft

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ct: Only release RCU read lock after ct_ft When looking up a flow table in act_ct in tcf_ct_flow_table_get(), rhashtable_lookup_fast() internally opens and closes an RCU read critical section before returning ct_ft. The tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero() is invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft object. This vulnerability can lead to privilege escalation. Analysis from zdi-disclosures@trendmicro.com: When initializing act_ct, tcf_ct_init() is called, which internally triggers tcf_ct_flow_table_get(). static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params) { struct zones_ht_key key = { .net = net, .zone = params->zone }; struct tcf_ct_flow_table *ct_ft; int err = -ENOMEM; mutex_lock(&zones_mutex); ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); // [1] if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) // [2] goto out_unlock; ... } static __always_inline void *rhashtable_lookup_fast( struct rhashtable *ht, const void *key, const struct rhashtable_params params) { void *obj; rcu_read_lock(); obj = rhashtable_lookup(ht, key, params); rcu_read_unlock(); return obj; } At [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft from zones_ht . The lookup is performed within an RCU read critical section through rcu_read_lock() / rcu_read_unlock(), which prevents the object from being freed. However, at the point of function return, rcu_read_unlock() has already been called, and there is nothing preventing ct_ft from being freed before reaching refcount_inc_not_zero(&ct_ft->ref) at [2]. This interval becomes the race window, during which ct_ft can be freed. Free Process: tcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu() tcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put(). static void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft) { if (refcount_dec_and_test(&ct_ft->ref)) { rhashtable_remove_fast(&zones_ht, &ct_ft->node, zones_params); INIT_RCU_WORK(&ct_ft->rwork, tcf_ct_flow_table_cleanup_work); // [3] queue_rcu_work(act_ct_wq, &ct_ft->rwork); } } At [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work static void tcf_ct_flow_table_cleanup_work(struct work_struct *work) { struct tcf_ct_flow_table *ct_ft; struct flow_block *block; ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table, rwork); nf_flow_table_free(&ct_ft->nf_ft); block = &ct_ft->nf_ft.flow_block; down_write(&ct_ft->nf_ft.flow_block_lock); WARN_ON(!list_empty(&block->cb_list)); up_write(&ct_ft->nf_ft.flow_block_lock); kfree(ct_ft); // [4] module_put(THIS_MODULE); } tcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes between [1] and [2], UAF occurs. This race condition has a very short race window, making it generally difficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was inserted after[1]

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's network traffic-control subsystem, specifically in the act_ct module responsible for connection-tracking actions. The flaw is reachable locally and requires only a low-privilege account; no network access or user interaction is needed. Successful exploitation gives an attacker full read, write, and execution control over kernel memory, enabling privilege escalation to root. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46319 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle an affected Linux kernel version.

Available

Triage

HarborGuard scores this finding at CVSS 7.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within the customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild targeting the fix commits (including the 5.10.258 stable release) is available on HarborGuard for any image found to carry an affected kernel version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required to trigger the vulnerability.
AuthenticationRequired
Any low-privilege local account is sufficient to reach the vulnerable code path in the act_ct module.
Victim interactionNot required
No user interaction is needed; the attacker can trigger the race condition entirely on their own.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race windows, specific memory layouts, or other hard-to-control environmental factors beyond local access.

Blast Radius

An attacker reads arbitrary kernel memory, exposing credentials, session tokens, and sensitive data held in kernel space.
An attacker writes to arbitrary kernel memory, modifying security policies, privilege tables, or other kernel structures.
The use-after-free can crash the kernel, taking down the host and all containers running on it.
By corrupting kernel data structures, an attacker escalates from a low-privilege local user to full root privileges on the affected host.

How HarborGuard Handles This

Available on HarborGuard: images containing an affected Linux kernel version are flagged automatically within minutes of CVE ingestion, including those built from internal base images. For customers who opt into auto-remediation, HarborGuard rebuilds the image at a fixed kernel version (5.10.258 or the corresponding upstream fix commits), runs a regression test suite against the rebuilt image, and opens a pull request against affected workloads. For HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a detailed finding report are staged and waiting for review. Because the fix is now upstream, no compensating-control workaround is needed, though customers who cannot update immediately may reduce exposure by restricting which users can load kernel traffic-control modules via Linux capability controls or seccomp profiles.

See how HarborGuard automates this

Fix available

017dfb67cb399b660105d9a8c6100851c0d0cdc703e20e1b3058e0b94638e7b931c138e840e2667244c727c6967a41b37efe0f26332ca9ec5b74785a35.10.2585.15.2096.1.1756.6.1416.12.916.18.3367c9ecc9f2575273ed1323e312881fc98ac83d6d7.0.107.1-rc1a2e0c045c87aa252eb61412e67dd91f2c2b19f81ece578ca61e572df96cfc80456357ebfae0b4b9ef23424a0ddadb494d4bd57056a7ca703312d3a7bf462dca0c8415bf0058d0ffa476354c4476d0f09

Affected packages

Linux / Linux
< ece578ca61e572df96cfc80456357ebfae0b4b9e (from 138470a9b2cc2e26e6018300394afc3858a54e6a) · < a2e0c045c87aa252eb61412e67dd91f2c2b19f81 (from 138470a9b2cc2e26e6018300394afc3858a54e6a) · < 67c9ecc9f2575273ed1323e312881fc98ac83d6d (from 138470a9b2cc2e26e6018300394afc3858a54e6a) · < f23424a0ddadb494d4bd57056a7ca703312d3a7b (from 138470a9b2cc2e26e6018300394afc3858a54e6a) · < 17dfb67cb399b660105d9a8c6100851c0d0cdc70 (from 138470a9b2cc2e26e6018300394afc3858a54e6a) · < 4c727c6967a41b37efe0f26332ca9ec5b74785a3 (from 138470a9b2cc2e26e6018300394afc3858a54e6a)
Linux / Linux
5.7
Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1-rc1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available