Skip to main content

Linux Kernel EUVDEUVD-2026-32823

| CVE-2026-46196 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-3j98-4vrc-2fpm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 19:26 vuln.today
CVSS changed
Jun 10, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()

When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.

For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.

Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.

AnalysisAI

Persistent availability degradation in the Linux kernel tracepoint subsystem results from an unbalanced regfunc()/unregfunc() pair when tracepoint_add_func() fails mid-registration. When func_add() returns an error (such as -ENOMEM) after regfunc() has already executed, ext->unregfunc() is never called, leaving side effects permanently in place - for syscall tracepoints, this sticks sys_tracepoint_refcount at a non-zero value and keeps SYSCALL_TRACEPOINT set on every running task, imposing unnecessary syscall trace entry/exit overhead on all processes until reboot. No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating this is a low-probability exploitation target, though it is a confirmed kernel-quality bug with patches issued across multiple stable branches.

Technical ContextAI

The Linux kernel's static tracepoint framework supports subsystem-specific registration callbacks through the tracepoint_ext structure's regfunc()/unregfunc() pair. On a 0→1 probe count transition, tracepoint_add_func() calls ext->regfunc() to establish subsystem state, then invokes func_add() to install the probe into the probe array via allocate_probes(). If allocate_probes() cannot allocate memory and returns -ENOMEM, the error path returns immediately without calling ext->unregfunc() to unwind the regfunc() side effects - an asymmetric cleanup failure. For syscall tracepoints specifically, syscall_regfunc() increments the global sys_tracepoint_refcount and calls set_syscall_tracepoint() on every task_struct via for_each_process(), setting TIF_SYSCALL_TRACEPOINT per-thread. With the refcount stuck non-zero, the kernel's syscall entry/exit paths continue executing tracepoint hooks for all threads with no registered consumer. Affected products are confirmed by CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* across multiple stable version branches starting from commit 8cf868affdc459beee1a941df0cfaba1673740e3. No CWE is formally assigned by NVD, but the root cause class is incomplete error-path cleanup, analogous to CWE-459 (Incomplete Cleanup) or CWE-755 (Improper Handling of Exceptional Conditions).

RemediationAI

Upgrade to a patched kernel version: 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc1 depending on the stable branch in use. Patch commits are available at git.kernel.org/stable/c/247ed8a969f9, 2c5b8eeea006, 342829e042ac, 7bcadb3c2bc1, and fad217e16fde. The fix adds a symmetric ext->unregfunc() call in the func_add() error path, mirroring the existing 1→0 cleanup logic. If immediate kernel upgrade is not feasible, restrict unprivileged access to kernel tracing interfaces by tightening permissions on /sys/kernel/debug/tracing/ and /sys/kernel/tracing/ (e.g., mode 0700 root-only), which prevents unprivileged users from initiating tracepoint registrations; note this disables legitimate tracing for non-root users. Additionally, setting kernel.perf_event_paranoid=3 and kernel.kptr_restrict=2 via sysctl reduces the tracing attack surface broadly, though these do not directly block this specific code path. There are no known workarounds that neutralize the bug without restricting tracing access.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32823 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy