HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46328Published Modified CNA Linux

CVE-2026-46328: apparmor: fix rlimit for posix cpu timers

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix rlimit for posix cpu timers Posix cpu timers requires an additional step beyond setting the rlimit. Refactor the code so its clear when what code is setting the limit and conditionally update the posix cpu timers when appropriate.

Metrics

CVSS v3.1
7.3
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A privilege-escalation flaw exists in the Linux kernel's AppArmor subsystem, specifically in how it handles rlimit enforcement for POSIX CPU timers. The bug is reachable locally by any low-privilege user with an existing session on the host; no network access is needed. Successful exploitation allows an attacker to corrupt integrity of limited kernel data and cause a denial of service by crashing or hanging affected processes or the timer subsystem. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46328 is available across every HarborGuard environment; the CVE is ingested from upstream Linux kernel security feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected kernel or kernel modules.

Available
Triage

HarborGuard scores this CVE at 7.3 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to determine urgency; triage tickets are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild targeting the fix commits (including the stable 5.10.252 branch) becomes available on HarborGuard once upstream sources are indexed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to attempt exploitation; no administrator or root credentials are needed upfront.

  • Victim interactionNot required

    No action by another user or administrator is required; the attacker can trigger the flaw unilaterally.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental setup beyond having a local session.

Blast Radius

  • The attacker can modify limited kernel-managed data structures related to POSIX CPU timer rlimit enforcement, undermining process resource controls.
  • The attacker can crash or indefinitely stall affected processes or the CPU timer subsystem, causing denial of service for workloads on the host.
  • Because the scope is changed (S:C in the CVSS vector), impact can extend beyond the attacker's own process boundary to affect other processes sharing the same kernel.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any customer image containing an affected Linux kernel version, covering both upstream base images and internally built images. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image against the patched kernel (stable branch 5.10.252 or the relevant mainline fix commits), runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually can review the flagged images in their HarborGuard dashboard and track fix-version availability there. Because this vulnerability requires local code execution, compensating controls such as restricting interactive shell access to containers and enforcing strict pod security policies can reduce exposure while a patched image is prepared.

See how HarborGuard automates this

Fix available

01f736dfe27c857b78f8461cd7c3dd9640be74b372232d7cd243833ad750cae656d1817fe43744a0928aa93fcfb33b6d580c5df4ae8b6d13fb0e6fcd35.10.2525.15.20257d51d41b90eface809b72e0e009b50546492f1f6.1.1656.6.1286.12.756.18.146.19.46ca56813f4a589f536adceb42882855d91fb11257.09bf1fa150775b0c6b794e4b6a2c0395e13777999e1cc11550b2f66687a374536c9dfdddcefca0efee43818b16815c0c2bf933ef28316f8e704e5e0ef
Affected packages
  • Linux / Linux
    < e1cc11550b2f66687a374536c9dfdddcefca0efe (from baa73d9e478ff32d62f3f9422822b59dd9a95a21) · < 2232d7cd243833ad750cae656d1817fe43744a09 (from baa73d9e478ff32d62f3f9422822b59dd9a95a21) · < 28aa93fcfb33b6d580c5df4ae8b6d13fb0e6fcd3 (from baa73d9e478ff32d62f3f9422822b59dd9a95a21) · < 1f736dfe27c857b78f8461cd7c3dd9640be74b37 (from baa73d9e478ff32d62f3f9422822b59dd9a95a21) · < e43818b16815c0c2bf933ef28316f8e704e5e0ef (from baa73d9e478ff32d62f3f9422822b59dd9a95a21) · < 9bf1fa150775b0c6b794e4b6a2c0395e13777999 (from baa73d9e478ff32d62f3f9422822b59dd9a95a21)
  • Linux / Linux
    4.10
    Fixed in 0, 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
References