Skip to main content

Linux Kernel CVE-2026-46100

| EUVDEUVD-2026-32483 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-fff5-56xf-g7v8
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:47 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

fs: afs: revert mmap_prepare() change

Partially reverts commit 9d5403b1036c ("fs: convert most other generic_file_*mmap() users to .mmap_prepare()").

This is because the .mmap invocation establishes a refcount, but .mmap_prepare is called at a point where a merge or an allocation failure might happen after the call, which would leak the refcount increment.

Functionality is being added to permit the use of .mmap_prepare in this case, but in the interim, we need to fix this.

AnalysisAI

Local privilege-impacting memory corruption in the Linux kernel's AFS filesystem can be triggered by an authenticated local user mapping AFS files, leading to a refcount leak that can cause kernel resource exhaustion or use-after-free conditions affecting confidentiality, integrity, and availability. The flaw stems from an incorrect conversion of AFS's mmap handler to the new .mmap_prepare() interface (commit 9d5403b1036c), which leaks reference counts when a VMA merge or allocation failure occurs after the prepare call. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at just 0.02%.

Technical ContextAI

The Andrew File System (AFS) is a distributed network filesystem implementation in the Linux kernel (fs/afs). The kernel recently introduced a .mmap_prepare() callback intended to replace the legacy .mmap callback for many generic_file_*mmap() users. The crucial semantic difference is that .mmap is invoked after the VMA is fully set up and any refcounts taken inside survive subsequent steps, whereas .mmap_prepare() runs earlier - before a possible VMA merge or post-allocation failure path - meaning any refcount increment taken inside .mmap_prepare() can be leaked if the surrounding mmap machinery later aborts or coalesces VMAs. AFS's mmap path establishes a refcount on the underlying cache/file object, so converting it to .mmap_prepare() (commit 9d5403b1036c) introduced a reference leak. CWE is not assigned but this maps to CWE-911 (Improper Update of Reference Count) / CWE-401 (Missing Release of Memory after Effective Lifetime).

RemediationAI

Upgrade to a Linux kernel that contains the partial revert of commit 9d5403b1036c - specifically mainline 7.1-rc1, stable 7.0.4, or stable 6.18.27, or pull the upstream fix commits 48c7a0eaeea4, f51f85c04480, and fbfc6578eaca via your distribution's stable backport process. Distribution-supplied kernels (RHEL, SUSE, Ubuntu, Debian) should be tracked for their respective backported builds via the vendor advisory channels. As an interim mitigation where patching is not immediately possible, unload or disable the AFS kernel module (rmmod kafs / blacklist kafs in /etc/modprobe.d/) and unmount any AFS mounts - the trade-off is loss of AFS access for any users or services depending on it. Restricting local shell access on AFS-using systems is a partial control but does not address insider risk since exploitation requires only PR:L. Patch availability: Vendor-released patch - mainline 7.1-rc1, stable 6.18.27, stable 7.0.4.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46100 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy