Skip to main content

Linux Kernel CVE-2026-46173

| EUVDEUVD-2026-32800 HIGH
Out-of-bounds Write (CWE-787)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mpr4-2mm3-rwm6
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:59 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

exit: prevent preemption of oopsing TASK_DEAD task

When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled. That is forbidden: do_task_dead() calls __schedule(), which has a comment saying "WARNING: must be called with preemption disabled!".

If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).

This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.

(This does not just affect "recursively oopsing" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)

AnalysisAI

Memory corruption in the Linux kernel scheduler exit path allows local low-privileged users to trigger use-after-free or double-free of task stacks when an exiting task oopses, per CVE-2026-46173. The flaw stems from make_task_dead() invoking do_task_dead() with preemption enabled, violating the scheduler's requirement that __schedule() run with preemption disabled, which can leave two tasks running on the same stack. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.

Technical ContextAI

The vulnerability is in the Linux kernel task-exit logic in kernel/exit.c. When a task oopses during its own exit path (e.g., inside a file_operations::release handler), make_task_dead() transitions the task to TASK_DEAD and calls do_task_dead(), which invokes __schedule(). Because preemption was left enabled, an oopsing TASK_DEAD task can be preempted between its state transition and the explicit schedule call. finish_task_switch() then incorrectly assumes the task is gone for good and drops references on its stack, but the preempted task is later rescheduled, producing a use-after-free or double-free of the task_struct stack. CWE classification was not provided by NVD, but the bug class aligns with CWE-416 (Use After Free) / CWE-415 (Double Free); tags indicate 'Buffer Overflow, Linux'. Two kernel tasks running on a shared, freed stack is the corruption primitive.

RemediationAI

Upgrade to a patched Linux kernel - Vendor-released patch: 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc4 (or any distro kernel that has merged the upstream commits listed at https://git.kernel.org/stable/c/c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891 and siblings). For systems that cannot be rebooted immediately, apply the live patch from your distribution vendor (Red Hat kpatch, Canonical Livepatch, SUSE kGraft) once available, and track distro advisories via https://nvd.nist.gov/vuln/detail/CVE-2026-46173. As compensating controls until patched, restrict local shell and container runtime access on multi-tenant hosts, enable kernel.panic_on_oops=1 so that an oops halts the system instead of producing the corruption window (trade-off: any oops becomes a node outage and may aid denial-of-service), and tighten seccomp/LSM policies on untrusted workloads to reduce the surface that can drive a release-time oops. There is no narrowly-targeted feature toggle to disable, since the affected code is in the core scheduler exit path.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46173 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy