PatchSiren cyber security CVE debrief

CVE-2026-46054 Linux CVE debrief

CVE-2026-46054 addresses a security policy enforcement gap in the Linux kernel's SELinux implementation for overlayfs. The vulnerability involves incomplete access control checks for mmap() and mprotect() operations on overlayfs filesystems. Under SELinux's overlayfs security model, access requires both the current task's ability to access the top-level (user) file and the mounter's credentials being sufficient to access the lower-level (backing) file. The existing code failed to properly enforce backing file access controls for memory mapping operations. The resolution introduces the security_mmap_backing_file() LSM hook to enforce backing file permissions during mmap() operations, and utilizes the backing file API with a new LSM blob to enable proper mprotect() access control enforcement. This is a local privilege boundary issue affecting systems with SELinux enabled and overlayfs in use.

Vendor: Linux
Product: Unknown
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Organizations running Linux systems with SELinux in enforcing mode and overlayfs mounts, particularly container platforms, build systems, and multi-tenant environments where overlayfs is used for layered filesystem operations. Security teams responsible for mandatory access control policy enforcement and kernel security posture.

Technical summary

The vulnerability exists in SELinux's handling of overlayfs memory operations. Overlayfs presents a unified view of a lower (backing) filesystem and an upper (user) filesystem. SELinux's security model requires dual authorization: the accessing task must have permissions on the user-visible file, and the mounter's credentials must authorize access to the backing file. The implementation gap meant that mmap() and mprotect() operations did not validate backing file permissions, potentially allowing unauthorized memory mappings or protection changes. The fix integrates with the LSM framework through a new hook (security_mmap_backing_file()) and extends the backing file infrastructure to capture and enforce policy decisions during mprotect() calls. This is infrastructure-level hardening rather than a specific exploit vector, but closes a policy enforcement consistency issue that could contribute to privilege escalation chains on SELinux-hardened systems.

Defensive priority

medium

Recommended defensive actions

Apply kernel updates containing the referenced stable tree commits when available through distribution security channels
Verify SELinux is enforcing on systems using overlayfs
Review overlayfs mount configurations for compliance with organizational security policies
Monitor distribution security advisories for kernel package updates addressing this CVE

Evidence notes

The CVE description confirms this is a resolved vulnerability in the Linux kernel's SELinux subsystem. The fix involves new LSM infrastructure (security_mmap_backing_file() hook, backing file API, new LSM blob) to close the enforcement gap. Two kernel.org stable tree commits are referenced as remediation sources. No CVSS score or severity has been assigned by NVD at time of disclosure.

Official resources

CVE-2026-46054 CVE record
CVE.org
CVE-2026-46054 NVD detail
NVD
Source item URL
nvd_modified
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67

2026-05-27