Skip to main content

Linux Kernel CVE-2026-46242

| EUVDEUVD-2026-33459 HIGH
Use After Free (CWE-416)
2026-05-30 Linux GHSA-h4r8-4j67-99mx
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 07:24 vuln.today
CVSS changed
Jun 05, 2026 - 07:22 NVD
7.8 (HIGH)
CVE Published
May 30, 2026 - 12:13 nvd
UNKNOWN (no severity yet)
CVE Published
May 30, 2026 - 12:13 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

eventpoll: fix ep_remove struct eventpoll / struct file UAF

ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().

For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed kmalloc-192 memory.

In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.

Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.

If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.

A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.

AnalysisAI

Local privilege escalation in the Linux kernel eventpoll (epoll) subsystem stems from a use-after-free in ep_remove() where file->f_ep is cleared but the file pointer continues to be used inside the f_lock critical section, allowing a concurrent __fput() to free the underlying struct eventpoll and struct file. Successful exploitation yields an attacker-controllable kmem_cache_free() against the wrong slab cache, enabling memory corruption that can lead to high-integrity, high-confidentiality, and high-availability impact (CVSS 7.8). EPSS is very low (0.02%), no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

The flaw resides in fs/eventpoll.c in the Linux kernel, the implementation of the epoll I/O event notification facility. The root cause is a use-after-free race (CWE-416 class, though the CVE record lists CWE as N/A): ep_remove_file() clears file->f_ep under file->f_lock and then continues using @file (calling is_file_epoll(), hlist_del_rcu() through the file's head, and spin_unlock) within the same critical section. A concurrent __fput() that observes the transient NULL takes the eventpoll_release() fastpath, skips eventpoll_release_file(), and proceeds to f_op->release / file_free(). For the epoll-watches-epoll case, this triggers ep_eventpoll_release() → ep_clear_and_put() → ep_free(), which kfree()s the watched struct eventpoll while the racing thread still holds a pointer into its embedded ->refs hlist_head (kmalloc-192 slab). Additionally, struct file is SLAB_TYPESAFE_BY_RCU, so the file slot can be recycled by alloc_empty_file() - reinitializing f_lock and f_ep - while ep_remove() still believes it holds that lock, producing an attacker-controllable kmem_cache_free() against the wrong slab cache. The fix pins @file via epi_fget() at the start of ep_remove() and gates the critical section on the pin succeeding.

RemediationAI

Vendor-released patch: upgrade to Linux 6.18.33, 7.0.10, or 7.1-rc1 (or later) which contain the upstream fix pinning @file via epi_fget() in ep_remove(); the relevant stable commits are ef4ca02e95363e78977ca04340d44fe3b4b2b81f, ced39b6a8062bac5c18a1c3df85634107eb8664a, and a6dc643c69311677c574a0f17a3f4d66a5f3744b at git.kernel.org/stable. On distribution kernels, apply the vendor's backported package once available and consult the NVD record at https://nvd.nist.gov/vuln/detail/CVE-2026-46242 and the VulDB entry at https://vuldb.com/vuln/367431. Where immediate patching is not possible, reduce exposure by restricting local shell or container execution on the host to trusted users, since exploitation requires local low-privileged code execution - note this reduces but does not eliminate risk on multi-tenant systems. Hardening such as kernel.unprivileged_userns_clone=0, seccomp profiles that block or constrain epoll_ctl on untrusted workloads, and enabling SLAB_FREELIST_HARDENED / CONFIG_RANDOM_KMALLOC_CACHES raises exploitation cost; the trade-off is potential breakage of container runtimes or applications that rely on user namespaces or unrestricted epoll usage.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46242 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy