Skip to main content

Linux Kernel CVE-2026-46106

| EUVDEUVD-2026-32865 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vr2g-5q36-7736
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.1 MEDIUM

Race condition requires concurrent privileged operations (remount + kprobe write, both needing CAP_SYS_ADMIN), so AC:H and PR:H; no confidentiality or integrity impact.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.1 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:39 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

eventfs: Hold eventfs_mutex and SRCU when remount walks events

Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the events descriptor") had eventfs_set_attrs() recurse through ei->children on remount. The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:

  • list_for_each_entry over ei->children races with the list_del_rcu()

in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as d2603279c7d6.

  • eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).

rcu_read_lock() does not extend an SRCU grace period, so ti->private can be reclaimed under the walk.

  • The writes to ei->attr race with eventfs_set_attr(), which holds

eventfs_mutex.

Reproducer:

while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done & while :; do echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events echo > /sys/kernel/tracing/kprobe_events done

Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.

Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.

AnalysisAI

Three concurrent race conditions in the Linux kernel's eventfs subsystem (tracefs) can be triggered during remount operations, leading to kernel denial-of-service via LIST_POISON1 pointer dereference or use-after-free. Systems running affected kernel versions with tracefs mounted are vulnerable when a local user with sufficient privilege simultaneously remounts the filesystem while kprobe events are being added or removed. No public exploit code has been identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low observed exploitation probability.

Technical ContextAI

The vulnerability is rooted in locking discipline errors within the Linux kernel's eventfs layer (part of tracefs/debugfs, CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*). Commit 340f0c7067a9 introduced eventfs_set_attrs() recursing over ei->children during remount while holding only rcu_read_lock(). This creates three distinct races: (1) list_for_each_entry over ei->children races with list_del_rcu() in eventfs_remove_rec(), potentially dereferencing a LIST_POISON1 sentinel after removal; (2) eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...) using SRCU rather than classic RCU, meaning rcu_read_lock() does not extend the required SRCU grace period - ti->private can be reclaimed under the walk; (3) writes to ei->attr during the remount walk race with eventfs_set_attr(), which holds eventfs_mutex, creating a lock-order violation and data race. The fix introduces eventfs_remount_lock()/_unlock() to take both eventfs_mutex and srcu_read_lock(&eventfs_srcu) around the events portion of tracefs_apply_options(). No CWE was assigned by NVD, but the root causes align with CWE-362 (Race Condition) and CWE-416 (Use-After-Free) for the SRCU/list-removal races.

RemediationAI

The primary remediation is to upgrade to a patched kernel version: 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc1, depending on the series in use. Upstream fix commits are available at https://git.kernel.org/stable/c/07004a8c4b572171934390148ee48c4175c77eed, https://git.kernel.org/stable/c/52b109f1b875b912d4ab2c5fdd8c322d47119d9b, https://git.kernel.org/stable/c/44e64d8a432837308f4dda3ffe819f1ec092a0ba, https://git.kernel.org/stable/c/ed2ad73bcb0a7a6cc934097d4853b6d5124c317e, and https://git.kernel.org/stable/c/ae9cd0b46b1890040006a2fc5e905c5d6053fd02. If an immediate kernel update is not possible, a compensating control is to unmount or disable tracefs (umount /sys/kernel/tracing) on systems where dynamic tracing is not operationally required - this eliminates the attack surface entirely but removes kprobe/ftrace observability. A second control is restricting tracefs remount capability to root-only via kernel lockdown mode or removing CAP_SYS_ADMIN from unprivileged namespaces (kernel.unprivileged_userns_clone=0 on applicable distributions), which raises the required privilege level. Neither workaround is without trade-offs: disabling tracefs breaks observability tooling (BPF CO-RE, perf, ftrace-based profilers), and namespace restriction may break containerized workloads.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46106 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy