HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46327Published Modified CNA Linux

CVE-2026-46327: dm: fix unlocked test for dm_suspended_md

In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dm_suspended_md The function dm_blk_report_zones tests if the device is suspended with the "dm_suspended_md" call. However, this function is called without holding any locks, so the device may be suspended just after it. Move the call to dm_suspended_md after dm_get_live_table, so that the device can't be suspended after the suspended state was tested.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A race condition in the Linux kernel's device mapper (dm) subsystem affects the dm_blk_report_zones function. The function tests whether a device-mapper target is suspended without holding a lock, allowing the device to be suspended between the check and subsequent operations, which is a classic time-of-check to time-of-use (TOCTOU) bug. Successful exploitation by a local attacker with a low-privilege account allows full read, write, and crash access to the affected system. A patched-image rebuild at the fixed kernel versions is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46327 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle an affected Linux kernel version.

Available
Triage

Triage is available using the CVSS v3.1 score of 7.8 (HIGH), weighted against each customer org's compliance policy to determine priority and routed to the appropriate team inbox automatically.

Available
Patch

A patched-image rebuild at the fixed kernel versions (6.12.75, 6.16, and the identified upstream commits) becomes available on HarborGuard once the base image incorporating the fix is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests, and opens a PR against affected workloads.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to attempt exploitation; no administrative rights are needed.

  • Victim interactionNot required

    No user interaction is required; the attacker can trigger the race condition independently.

  • Attack complexityDetail

    The exploit is relatively reliable and does not depend on unusual environmental conditions, though it requires timing a suspension event against the unlocked check window.

Blast Radius

  • A successful attacker reads arbitrary kernel memory, including stored credentials, session tokens, and sensitive process data.
  • A successful attacker writes to kernel memory structures, enabling persistent modification of running kernel state or privilege escalation.
  • A successful attacker crashes the affected host by corrupting device-mapper state, causing a kernel panic and full service disruption.
  • Any containerized workload sharing the host kernel is exposed to the same impact, since the vulnerability is in the host kernel's device mapper subsystem.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication, covering any image that bundles an affected Linux kernel version. Where compliance policy permits, auto-remediation customers receive a rebuilt image pinned to a fixed kernel version (6.12.75 or 6.16), a regression-test run against that image, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where a kernel upgrade is not immediately feasible, compensating controls include restricting local shell access to untrusted users via network policy isolation and tightening container-to-host privilege boundaries to reduce the set of principals who can reach the vulnerable code path.

See how HarborGuard automates this

Fix available

0175ac0a6115400278d3900f5a04a58b17b3f6cd024c405fdbe215c45e57bba672cc42859038491ee6.12.756.166.18.146.19.47.07a3385e97af2b6f485fef11e82d8c29adee4be93d809a36692ee1394cac85ce6ba7cf8ea58da5812
Affected packages
  • Linux / Linux
    < 175ac0a6115400278d3900f5a04a58b17b3f6cd0 (from f9c1bdf24615303d48a2d0fd629c88f3189563aa) · < 7a3385e97af2b6f485fef11e82d8c29adee4be93 (from 37f53a2c60d03743e0eacf7a0c01c279776fef4e) · < d809a36692ee1394cac85ce6ba7cf8ea58da5812 (from 37f53a2c60d03743e0eacf7a0c01c279776fef4e) · < 24c405fdbe215c45e57bba672cc42859038491ee (from 37f53a2c60d03743e0eacf7a0c01c279776fef4e) · d19bc1b4dd5f322980b1f05f79b2ea4f0db10920 · < 6.12.75 (from 6.12.34)
  • Linux / Linux
    6.16
    Fixed in 0, 6.12.75, 6.18.14, 6.19.4, 7.0
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References