Skip to main content

Linux Kernel CVE-2026-46302

| EUVDEUVD-2026-35167 MEDIUM
2026-06-08 Linux GHSA-m47f-j4g8-cj3f
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges required to open the file; sole impact is availability to SELinux policy readers, no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 15:30 vuln.today
CVSS changed
Jul 08, 2026 - 14:52 NVD
5.5 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 nvd
MEDIUM 5.5
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

selinux: allow multiple opens of /sys/fs/selinux/policy

Currently there can only be a single open of /sys/fs/selinux/policy at any time. This allows any process to block any other process from reading the kernel policy. The original motivation seems to have been a mix of preventing an inconsistent view of the policy size and preventing userspace from allocating kernel memory without bound, but this is arguably equally bad. Eliminate the policy_opened flag and shrink the critical section that the policy mutex is held. While we are making changes here, drop a couple of extraneous BUG_ONs.

AnalysisAI

Local denial-of-service in the Linux kernel's SELinux subsystem allows any low-privileged local process to monopolize the /sys/fs/selinux/policy file descriptor, blocking all other processes from reading the active kernel policy. The root cause is a policy_opened flag that enforced a single-open restriction on the SELinux policy pseudofile - originally intended to prevent inconsistent reads or unbounded kernel memory allocation, but which also created a trivial resource-starvation primitive. No active exploitation has been identified (not in CISA KEV), and the EPSS score of 0.02% places this in the 5th percentile for exploitation likelihood.

Technical ContextAI

The affected component is the SELinux pseudo-filesystem, specifically the /sys/fs/selinux/policy file exposed via the kernel's selinuxfs. The code maintained a policy_opened boolean flag that permitted only one concurrent opener at a time, enforced under the policy mutex. While the intent was to present a consistent snapshot of policy size to userspace and avoid indefinite kernel memory commitment, the implementation created a denial-of-service window: any process holding the file open would exhaust the single-open slot, starving security tools (e.g., sesearch, audit2allow, policy loaders) that need to read the policy. The patch eliminates policy_opened, shrinks the critical section held under the policy mutex, and removes two extraneous BUG_ON assertions. The CWE is not formally assigned, but this maps closely to CWE-667 (Improper Locking) or CWE-400 (Uncontrolled Resource Consumption). Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* covering kernel versions from commit 1da177e4c3f4 up to the fix commits.

RemediationAI

The primary fix is to upgrade the Linux kernel to version 7.0.7 (stable) or 7.1-rc3 (release candidate), which contain commits 714362f3779dfa453a78ced32396a72726962a41 and a02cd6805562305f936e807da83e253b719dd995 respectively - available via https://git.kernel.org/stable/c/714362f3779dfa453a78ced32396a72726962a41 and https://git.kernel.org/stable/c/a02cd6805562305f936e807da83e253b719dd965. Distribution maintainers should backport these commits to supported kernel stable branches. As a compensating control pending patching, access to /sys/fs/selinux/policy can be restricted using DAC permissions or a mandatory access control policy that limits which processes may open the file, reducing the pool of potential abusers - though this may break legitimate policy-introspection tooling. There are no trade-free workarounds; the only complete resolution is applying the upstream patch.

Share

CVE-2026-46302 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy