HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46330Published Modified CNA Linux

CVE-2026-46330: Revert "net/smc: Introduce TCP ULP support"

In the Linux kernel, the following vulnerability has been resolved: Revert "net/smc: Introduce TCP ULP support" This reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40. As reported by Al Viro, the TCP ULP support for SMC is fundamentally broken. The implementation attempts to convert an active TCP socket into an SMC socket by modifying the underlying `struct file`, dentry, and inode in-place, which violates core VFS invariants that assume these structures are immutable for an open file, creating a risk of use after free errors and general system instability. Given the severity of this design flaw and the fact that cleaner alternatives (e.g., LD_PRELOAD, BPF) exist for legacy application transparency, the correct course of action is to remove this feature entirely.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's SMC (Shared Memory Communications) subsystem, specifically in the TCP ULP (Upper Layer Protocol) support feature introduced in kernel versions starting from commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40. The flaw is exploitable locally by any user with a low-privilege account, requiring no network access or user interaction. Successful exploitation allows an attacker to read memory, corrupt data, or crash the system entirely. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46330 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected Linux kernel version. Coverage extends to base images and derived images in both registry scans and active pipeline checks.

Available
Triage

HarborGuard scores this CVE at 7.8 HIGH using the CVSS v3.1 vector and weights that score against each environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting fixed kernel versions 6.19.4 and 7.0 (or their equivalent commit-pinned revisions) is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; no administrative or elevated credentials are needed.

  • Victim interactionNot required

    The exploit executes without requiring any action from another user or process on the system.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions, specific memory layouts, or environmental prerequisites are required.

Blast Radius

  • Reads arbitrary kernel memory, which may expose credentials, session tokens, or sensitive process data from other users on the same host.
  • Modifies kernel data structures in-place, enabling tampering with kernel state or other processes running on the system.
  • Crashes the affected kernel, taking down all workloads on the host and causing a full service disruption.
  • Corrupts VFS (virtual filesystem) internals via the broken in-place inode and dentry modification, potentially destabilizing any open file operations across the system.

How HarborGuard Handles This

Available on HarborGuard: images containing an affected Linux kernel version are flagged immediately upon CVE ingestion, typically within minutes of upstream publication. For customers who opt into auto-remediation, HarborGuard rebuilds the image at a fixed kernel version (6.19.4, 7.0, or the corresponding patched commits), executes a regression test run against the rebuilt image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automatic remediation, the finding is surfaced in the triage queue with CVSS context and fix-version details so security and platform teams can act on their own schedule. All image variants, including custom-built images that layer on an affected base kernel, are in scope for both detection and the rebuild flow.

See how HarborGuard automates this

Fix available

06.19.46c505d95c69e27dbf28fea29dc84d2498d69515c7.0df31a6b0a3057e66994ad6ccf5d95b9b9514f033
Affected packages
  • Linux / Linux
    < 6c505d95c69e27dbf28fea29dc84d2498d69515c (from d7cd421da9da2cc7b4d25b8537f66db5c8331c40) · < df31a6b0a3057e66994ad6ccf5d95b9b9514f033 (from d7cd421da9da2cc7b4d25b8537f66db5c8331c40)
  • Linux / Linux
    5.17
    Fixed in 0, 6.19.4, 7.0
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References