CVE-2026-46054
- ULN >
- Oracle Linux CVE repository >
- CVE-2026-46054
CVE Details
| Release Date: | 2026-05-27 | |
| Impact: | Important | What is this? |
Description
In the Linux kernel, the following vulnerability has been resolved: selinux: fix overlayfs mmap() and mprotect() access checks The existing SELinux security model for overlayfs is to allow access if the current task is able to access the top level file (the "user" file) and the mounter's credentials are sufficient to access the lower level file (the "backing" file). Unfortunately, the current code does not properly enforce these access controls for both mmap() and mprotect() operations on overlayfs filesystems. This patch makes use of the newly created security_mmap_backing_file() LSM hook to provide the missing backing file enforcement for mmap() operations, and leverages the backing file API and new LSM blob to provide the necessary information to properly enforce the mprotect() access controls.
See more information about CVE-2026-46054 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v3 metrics
| Base Score: | 7.0 |
| Vector String: | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Version: | 3.1 |
| Attack Vector: | Local |
| Attack Complexity: | High |
| Privileges Required: | Low |
| User Interaction: | None |
| Scope: | Unchanged |
| Confidentiality Impact: | High |
| Integrity Impact: | High |
| Availability Impact: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 8 (kernel) | ELSA-2026-27811 | 2026-06-23 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
