Skip to main content

Linux Kernel CVE-2026-46145

| EUVDEUVD-2026-32772 HIGH
Out-of-bounds Write (CWE-787)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h8h4-4mrv-wh3h
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:56 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mana: Validate rx_hash_key_len

Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.

AnalysisAI

Local privilege escalation in the Linux kernel's RDMA/mana driver allows an authenticated low-privileged user to corrupt kernel memory by supplying an oversized rx_hash_key_len via the uAPI structure, which is passed unchecked to memcpy. The flaw affects kernels using the Microsoft Azure Network Adapter (MANA) RDMA driver and can lead to heap/stack overflow within kernel space, enabling potential code execution or system compromise. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), indicating limited exploitation interest so far.

Technical ContextAI

The vulnerability resides in the RDMA/mana driver, which implements Microsoft Azure Network Adapter (MANA) support for Remote Direct Memory Access in the Linux kernel. The rx_hash_key_len field is part of a user-controlled uAPI structure used to configure receive-side hashing for RDMA queue pairs. Because the kernel copied the user-supplied key into a fixed-size buffer using memcpy without validating the length, attackers could specify an arbitrary length, producing a classic buffer overflow (CWE-120/CWE-787-class issue, though the CVE record lists CWE as N/A). The fix introduces explicit bounds checking before the memcpy so an oversized length is rejected rather than blindly trusted.

RemediationAI

Upgrade to a patched Linux kernel: 6.6.141, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (or later) from your distribution, applying the upstream commits referenced at git.kernel.org/stable/c/012796f9541fcd0c1fa8ae4da7eb4d83931ef838 and the related stable backports. Cloud users on Azure should track their distribution vendor's kernel update (e.g., Ubuntu, RHEL, SLES, Azure Linux) and reboot affected VMs. As a temporary compensating control where patching is delayed, unload or blacklist the mana_ib kernel module (modprobe -r mana_ib; add to /etc/modprobe.d/blacklist.conf) on systems that do not require RDMA over MANA - note this will disable RDMA-accelerated networking on Azure VMs that rely on it. Restricting access to the RDMA uverbs device nodes (/dev/infiniband/uverbsN) via stricter permissions or namespaces can also reduce reachability for unprivileged users and containers.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy