Skip to main content

Linux Kernel CVE-2026-46054

| EUVDEUVD-2026-32436 HIGH
Improper Handling of Insufficient Permissions or Privileges (CWE-280)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xg2q-7399-f2r3
7.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:41 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

selinux: fix overlayfs mmap() and mprotect() access checks

The existing SELinux security model for overlayfs is to allow access if the current task is able to access the top level file (the "user" file) and the mounter's credentials are sufficient to access the lower level file (the "backing" file). Unfortunately, the current code does not properly enforce these access controls for both mmap() and mprotect() operations on overlayfs filesystems.

This patch makes use of the newly created security_mmap_backing_file() LSM hook to provide the missing backing file enforcement for mmap() operations, and leverages the backing file API and new LSM blob to provide the necessary information to properly enforce the mprotect() access controls.

AnalysisAI

Local privilege-bounded information disclosure and integrity compromise in the Linux kernel's SELinux module affects overlayfs mounts where mmap() and mprotect() operations bypass the intended dual-credential access checks. A local authenticated user with access to an overlayfs top-level (user) file can map or change protections on backing files without the mounter's credentials being properly evaluated, undermining the SELinux overlayfs security model. EPSS is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis.

Technical ContextAI

Overlayfs is a stackable union filesystem in Linux that presents a merged view of an upper (writable) layer and one or more lower (read-only) layers; SELinux normally enforces a two-step check that the calling task can access the visible 'user' file and that the mounter's credentials can access the underlying 'backing' file. Prior to this fix, the mmap() and mprotect() syscall paths did not invoke the backing-file enforcement, so the lower-layer access check was effectively skipped for memory-mapped operations. The patch introduces use of the new security_mmap_backing_file() LSM hook and the backing-file API/LSM blob so that the backing credential check is consistently applied at map and protection-change time. The CWE is unspecified by NVD, but the issue belongs to the access-control-bypass / missing authorization class (CWE-862/285 family) in an LSM enforcement path.

RemediationAI

Vendor-released patch: Linux 7.0.4 (stable) and 7.1-rc1 (mainline) - upgrade to a kernel that includes commits 82544d36b1729153c8aeb179e84750f0c085d3b1 and cd0e707a927a70cdfd8bc5a512a9719a87f5ed51, available at https://git.kernel.org/stable/c/82544d36b1729153c8aeb179e84750f0c085d3b1 and https://git.kernel.org/stable/c/cd0e707a927a70cdfd8bc5a512a9719a87f5ed51, and consume distribution kernel updates (RHEL/Fedora/Ubuntu/SUSE) once they backport these commits. Where immediate kernel update is infeasible, compensating controls include avoiding overlayfs for security-sensitive mounts (use a different stackable or direct bind mount, accepting loss of layered image semantics for containers), restricting which users can execute workloads on overlayfs-backed roots, and tightening SELinux policy to deny mmap/mprotect on the relevant file_t types used by lower layers (trade-off: may break legitimate container workloads that legitimately mmap shared libraries from images). Disabling SELinux is not a workaround and would worsen exposure.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46054 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy