HIGH Published 2026-05-27

selinux OverlayFS Bypass

CVE-2026-46054

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: selinux: fix overlayfs mmap() and mprotect() access checks The existing SELinux security model for overlayfs is to allow access if the current task is able to access the top level file (the "user" file) and the mounter's credentials are sufficient to access the lower level file (the "backing" file). Unfortunately, the current code does not properly enforce these access controls for both mmap() and mprotect() operations on overlayfs filesystems. This patch makes use of the newly created security_mmap_backing_file() LSM hook to provide the missing backing file enforcement for mmap() operations, and leverages the backing file API and new LSM blob to provide the necessary information to properly enforce the mprotect() access controls.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Local users with low privileges can bypass SELinux access controls on overlayfs filesystems during mmap() and mprotect() operations. This allows unauthorized access to files that should be protected by SELinux policy, potentially leading to privilege escalation or unauthorized data access.

Affectedsecurity/selinux/hooks.c (SELinux)

Vulnerability analysis

The vulnerability stems from incomplete enforcement of SELinux access controls for overlayfs backing files during mmap() and mprotect() operations. SELinux's overlayfs security model requires checking both the user-visible file and the backing file with appropriate credentials, but the original code only validated the top-level file. The fix implements proper dual validation by adding a new security_mmap_backing_file() LSM hook and enhancing mprotect() checks to validate both the user file (with current task credentials) and backing file (with mounter credentials). This affects local users who can access overlayfs mounts, requiring only basic user privileges to trigger.

03Fix Versions

Branch	Fixed in	Patch commit
7.0	7.0.4	`cd0e707a927a`
mainline	7.1-rc1	`82544d36b172`