Skip to main content

Linux Kernel CVE-2026-46259

| EUVDEUVD-2026-34121 HIGH
2026-06-03 Linux GHSA-vg6r-r7wf-v3q2
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 05, 2026 - 07:26 vuln.today
CVSS changed
Jun 05, 2026 - 07:22 NVD
7.8 (HIGH)
Patch available
Jun 03, 2026 - 19:01 EUVD
CVE Published
Jun 03, 2026 - 15:49 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 03, 2026 - 15:49 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

procfs: fix missing RCU protection when reading real_parent in do_task_stat()

When reading /proc/[pid]/stat, do_task_stat() accesses task->real_parent without proper RCU protection, which leads to:

cpu 0 cpu 1 ----- ----- do_task_stat var = task->real_parent release_task call_rcu(delayed_put_task_struct) task_tgid_nr_ns(var) rcu_read_lock <--- Too late to protect task->real_parent! task_pid_ptr <--- UAF! rcu_read_unlock

This patch uses task_ppid_nr_ns() instead of task_tgid_nr_ns() to add proper RCU protection for accessing task->real_parent.

AnalysisAI

Use-after-free in the Linux kernel's procfs subsystem allows a local low-privileged attacker to potentially trigger memory corruption when reading /proc/[pid]/stat due to missing RCU protection around task->real_parent access in do_task_stat(). The race condition occurs when a parent task is released concurrently with another process reading its stat file, leading to a UAF dereference. No public exploit identified at time of analysis, and EPSS scoring is very low (0.02%, 7th percentile), indicating limited expected exploitation activity.

Technical ContextAI

The vulnerability resides in fs/proc/array.c within the do_task_stat() function, which serves /proc/[pid]/stat reads used by tools like ps, top, and procps. The root cause is a classic Read-Copy-Update (RCU) protection gap: the code reads task->real_parent into a local variable and only later acquires rcu_read_lock() inside task_tgid_nr_ns(). Between those operations, release_task() on another CPU can invoke call_rcu(delayed_put_task_struct), eventually freeing the parent task_struct. The downstream task_pid_ptr() call then dereferences freed memory, producing a use-after-free (CWE-416 class). The fix replaces task_tgid_nr_ns() with task_ppid_nr_ns(), which establishes the RCU read-side critical section before touching real_parent. Affected CPEs cover the linux:linux product across many version trees.

RemediationAI

Patch available per vendor advisory: upgrade to a fixed stable kernel - 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0 - or pick up the equivalent stable-tree commits listed at git.kernel.org/stable/c/ (e.g., fefa0fcd78be465b7ad4c497fa6ec90d64194c04 and the siblings referenced in the CVE). Distribution users should track their vendor kernel update channels (RHEL, Ubuntu, SUSE, Debian, Amazon Linux) and apply the corresponding backport once shipped. Where prompt patching is not feasible, compensating controls are limited because /proc/[pid]/stat is read by many normal tools; options include restricting local low-privilege user access on multi-tenant hosts, mounting /proc with hidepid=2 or hidepid=invisible (gid=) to limit which stat files are visible to non-owners (side effect: breaks ps/top visibility across users and may affect monitoring agents), and tightening container/namespace isolation so untrusted workloads cannot freely enumerate host PIDs - none of these eliminate the race but they shrink the attack surface.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-46259 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy