CVE-2026-46242
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
30/05/2026
Last modified:
09/07/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
eventpoll: fix ep_remove struct eventpoll / struct file UAF<br />
<br />
ep_remove() (via ep_remove_file()) cleared file->f_ep under<br />
file->f_lock but then kept using @file inside the critical section<br />
(is_file_epoll(), hlist_del_rcu() through the head, spin_unlock).<br />
A concurrent __fput() taking the eventpoll_release() fastpath in<br />
that window observed the transient NULL, skipped<br />
eventpoll_release_file() and ran to f_op->release / file_free().<br />
<br />
For the epoll-watches-epoll case, f_op->release is<br />
ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which<br />
kfree()s the watched struct eventpoll. Its embedded ->refs<br />
hlist_head is exactly where epi->fllink.pprev points, so the<br />
subsequent hlist_del_rcu()&#39;s "*pprev = next" scribbles into freed<br />
kmalloc-192 memory.<br />
<br />
In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot<br />
backing @file could be recycled by alloc_empty_file() --<br />
reinitializing f_lock and f_ep -- while ep_remove() is still<br />
nominally inside that lock. The upshot is an attacker-controllable<br />
kmem_cache_free() against the wrong slab cache.<br />
<br />
Pin @file via epi_fget() at the top of ep_remove() and gate the<br />
critical section on the pin succeeding. With the pin held @file<br />
cannot reach refcount zero, which holds __fput() off and<br />
transitively keeps the watched struct eventpoll alive across the<br />
hlist_del_rcu() and the f_lock use, closing both UAFs.<br />
<br />
If the pin fails @file has already reached refcount zero and its<br />
__fput() is in flight. Because we bailed before clearing f_ep,<br />
that path takes the eventpoll_release() slow path into<br />
eventpoll_release_file() and blocks on ep->mtx until the waiter<br />
side&#39;s ep_clear_and_put() drops it. The bailed epi&#39;s share of<br />
ep->refcount stays intact, so the trailing ep_refcount_dec_and_test()<br />
in ep_clear_and_put() cannot free the eventpoll out from under<br />
eventpoll_release_file(); the orphaned epi is then cleaned up<br />
there.<br />
<br />
A successful pin also proves we are not racing<br />
eventpoll_release_file() on this epi, so drop the now-redundant<br />
re-check of epi->dying under f_lock. The cheap lockless<br />
READ_ONCE(epi->dying) fast-path bailout stays.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.209 (including) | 5.16 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.175 (including) | 6.2 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.4 (including) | 6.18.33 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.10 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2de4db145b2992da496fea6c51f9839be678ae24
- https://git.kernel.org/stable/c/9324de74a3a59b9fde9b62ee45ebaa71458ba2e5
- https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b
- https://git.kernel.org/stable/c/ced39b6a8062bac5c18a1c3df85634107eb8664a
- https://git.kernel.org/stable/c/ef4ca02e95363e78977ca04340d44fe3b4b2b81f
- http://www.openwall.com/lists/oss-security/2026/07/08/14



