CVE-2026-46242 (GCVE-0-2026-46242)

Vulnerability from cvelistv5 – Published: 2026-05-30 12:13 – Updated: 2026-05-30 12:13
VLAI
Title
eventpoll: fix ep_remove struct eventpoll / struct file UAF
Summary
In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file UAF ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free(). For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed kmalloc-192 memory. In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache. Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs. If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there. A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 58c9b016e12855286370dfb704c08498edbc857a , < ef4ca02e95363e78977ca04340d44fe3b4b2b81f (git)
Affected: 58c9b016e12855286370dfb704c08498edbc857a , < ced39b6a8062bac5c18a1c3df85634107eb8664a (git)
Affected: 58c9b016e12855286370dfb704c08498edbc857a , < a6dc643c69311677c574a0f17a3f4d66a5f3744b (git)
Create a notification for this product.
Linux Linux Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.18.33 , ≤ 6.18.* (semver)
Unaffected: 7.0.10 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/eventpoll.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ef4ca02e95363e78977ca04340d44fe3b4b2b81f",
              "status": "affected",
              "version": "58c9b016e12855286370dfb704c08498edbc857a",
              "versionType": "git"
            },
            {
              "lessThan": "ced39b6a8062bac5c18a1c3df85634107eb8664a",
              "status": "affected",
              "version": "58c9b016e12855286370dfb704c08498edbc857a",
              "versionType": "git"
            },
            {
              "lessThan": "a6dc643c69311677c574a0f17a3f4d66a5f3744b",
              "status": "affected",
              "version": "58c9b016e12855286370dfb704c08498edbc857a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/eventpoll.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: fix ep_remove struct eventpoll / struct file UAF\n\nep_remove() (via ep_remove_file()) cleared file-\u003ef_ep under\nfile-\u003ef_lock but then kept using @file inside the critical section\n(is_file_epoll(), hlist_del_rcu() through the head, spin_unlock).\nA concurrent __fput() taking the eventpoll_release() fastpath in\nthat window observed the transient NULL, skipped\neventpoll_release_file() and ran to f_op-\u003erelease / file_free().\n\nFor the epoll-watches-epoll case, f_op-\u003erelease is\nep_eventpoll_release() -\u003e ep_clear_and_put() -\u003e ep_free(), which\nkfree()s the watched struct eventpoll. Its embedded -\u003erefs\nhlist_head is exactly where epi-\u003efllink.pprev points, so the\nsubsequent hlist_del_rcu()\u0027s \"*pprev = next\" scribbles into freed\nkmalloc-192 memory.\n\nIn addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot\nbacking @file could be recycled by alloc_empty_file() --\nreinitializing f_lock and f_ep -- while ep_remove() is still\nnominally inside that lock. The upshot is an attacker-controllable\nkmem_cache_free() against the wrong slab cache.\n\nPin @file via epi_fget() at the top of ep_remove() and gate the\ncritical section on the pin succeeding. With the pin held @file\ncannot reach refcount zero, which holds __fput() off and\ntransitively keeps the watched struct eventpoll alive across the\nhlist_del_rcu() and the f_lock use, closing both UAFs.\n\nIf the pin fails @file has already reached refcount zero and its\n__fput() is in flight. Because we bailed before clearing f_ep,\nthat path takes the eventpoll_release() slow path into\neventpoll_release_file() and blocks on ep-\u003emtx until the waiter\nside\u0027s ep_clear_and_put() drops it. The bailed epi\u0027s share of\nep-\u003erefcount stays intact, so the trailing ep_refcount_dec_and_test()\nin ep_clear_and_put() cannot free the eventpoll out from under\neventpoll_release_file(); the orphaned epi is then cleaned up\nthere.\n\nA successful pin also proves we are not racing\neventpoll_release_file() on this epi, so drop the now-redundant\nre-check of epi-\u003edying under f_lock. The cheap lockless\nREAD_ONCE(epi-\u003edying) fast-path bailout stays."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-30T12:13:45.594Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ef4ca02e95363e78977ca04340d44fe3b4b2b81f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ced39b6a8062bac5c18a1c3df85634107eb8664a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b"
        }
      ],
      "title": "eventpoll: fix ep_remove struct eventpoll / struct file UAF",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46242",
    "datePublished": "2026-05-30T12:13:45.594Z",
    "dateReserved": "2026-05-13T15:03:33.107Z",
    "dateUpdated": "2026-05-30T12:13:45.594Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46242\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-30T13:16:21.980\",\"lastModified\":\"2026-05-30T13:16:21.980\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\neventpoll: fix ep_remove struct eventpoll / struct file UAF\\n\\nep_remove() (via ep_remove_file()) cleared file-\u003ef_ep under\\nfile-\u003ef_lock but then kept using @file inside the critical section\\n(is_file_epoll(), hlist_del_rcu() through the head, spin_unlock).\\nA concurrent __fput() taking the eventpoll_release() fastpath in\\nthat window observed the transient NULL, skipped\\neventpoll_release_file() and ran to f_op-\u003erelease / file_free().\\n\\nFor the epoll-watches-epoll case, f_op-\u003erelease is\\nep_eventpoll_release() -\u003e ep_clear_and_put() -\u003e ep_free(), which\\nkfree()s the watched struct eventpoll. Its embedded -\u003erefs\\nhlist_head is exactly where epi-\u003efllink.pprev points, so the\\nsubsequent hlist_del_rcu()\u0027s \\\"*pprev = next\\\" scribbles into freed\\nkmalloc-192 memory.\\n\\nIn addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot\\nbacking @file could be recycled by alloc_empty_file() --\\nreinitializing f_lock and f_ep -- while ep_remove() is still\\nnominally inside that lock. The upshot is an attacker-controllable\\nkmem_cache_free() against the wrong slab cache.\\n\\nPin @file via epi_fget() at the top of ep_remove() and gate the\\ncritical section on the pin succeeding. With the pin held @file\\ncannot reach refcount zero, which holds __fput() off and\\ntransitively keeps the watched struct eventpoll alive across the\\nhlist_del_rcu() and the f_lock use, closing both UAFs.\\n\\nIf the pin fails @file has already reached refcount zero and its\\n__fput() is in flight. Because we bailed before clearing f_ep,\\nthat path takes the eventpoll_release() slow path into\\neventpoll_release_file() and blocks on ep-\u003emtx until the waiter\\nside\u0027s ep_clear_and_put() drops it. The bailed epi\u0027s share of\\nep-\u003erefcount stays intact, so the trailing ep_refcount_dec_and_test()\\nin ep_clear_and_put() cannot free the eventpoll out from under\\neventpoll_release_file(); the orphaned epi is then cleaned up\\nthere.\\n\\nA successful pin also proves we are not racing\\neventpoll_release_file() on this epi, so drop the now-redundant\\nre-check of epi-\u003edying under f_lock. The cheap lockless\\nREAD_ONCE(epi-\u003edying) fast-path bailout stays.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ced39b6a8062bac5c18a1c3df85634107eb8664a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ef4ca02e95363e78977ca04340d44fe3b4b2b81f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.