{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-46242", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.107Z", "datePublished": "2026-05-30T12:13:45.594Z", "dateUpdated": "2026-07-09T00:31:40.940Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-07-04T11:50:43.055Z" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: fix ep_remove struct eventpoll / struct file UAF\n\nep_remove() (via ep_remove_file()) cleared file->f_ep under\nfile->f_lock but then kept using @file inside the critical section\n(is_file_epoll(), hlist_del_rcu() through the head, spin_unlock).\nA concurrent __fput() taking the eventpoll_release() fastpath in\nthat window observed the transient NULL, skipped\neventpoll_release_file() and ran to f_op->release / file_free().\n\nFor the epoll-watches-epoll case, f_op->release is\nep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which\nkfree()s the watched struct eventpoll. Its embedded ->refs\nhlist_head is exactly where epi->fllink.pprev points, so the\nsubsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed\nkmalloc-192 memory.\n\nIn addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot\nbacking @file could be recycled by alloc_empty_file() --\nreinitializing f_lock and f_ep -- while ep_remove() is still\nnominally inside that lock. The upshot is an attacker-controllable\nkmem_cache_free() against the wrong slab cache.\n\nPin @file via epi_fget() at the top of ep_remove() and gate the\ncritical section on the pin succeeding. With the pin held @file\ncannot reach refcount zero, which holds __fput() off and\ntransitively keeps the watched struct eventpoll alive across the\nhlist_del_rcu() and the f_lock use, closing both UAFs.\n\nIf the pin fails @file has already reached refcount zero and its\n__fput() is in flight. Because we bailed before clearing f_ep,\nthat path takes the eventpoll_release() slow path into\neventpoll_release_file() and blocks on ep->mtx until the waiter\nside's ep_clear_and_put() drops it. The bailed epi's share of\nep->refcount stays intact, so the trailing ep_refcount_dec_and_test()\nin ep_clear_and_put() cannot free the eventpoll out from under\neventpoll_release_file(); the orphaned epi is then cleaned up\nthere.\n\nA successful pin also proves we are not racing\neventpoll_release_file() on this epi, so drop the now-redundant\nre-check of epi->dying under f_lock. The cheap lockless\nREAD_ONCE(epi->dying) fast-path bailout stays." } ], "metrics": [ { "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH" } } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "fs/eventpoll.c" ], "versions": [ { "version": "58c9b016e12855286370dfb704c08498edbc857a", "lessThan": "2de4db145b2992da496fea6c51f9839be678ae24", "status": "affected", "versionType": "git" }, { "version": "58c9b016e12855286370dfb704c08498edbc857a", "lessThan": "9324de74a3a59b9fde9b62ee45ebaa71458ba2e5", "status": "affected", "versionType": "git" }, { "version": "58c9b016e12855286370dfb704c08498edbc857a", "lessThan": "ef4ca02e95363e78977ca04340d44fe3b4b2b81f", "status": "affected", "versionType": "git" }, { "version": "58c9b016e12855286370dfb704c08498edbc857a", "lessThan": "ced39b6a8062bac5c18a1c3df85634107eb8664a", "status": "affected", "versionType": "git" }, { "version": "58c9b016e12855286370dfb704c08498edbc857a", "lessThan": "a6dc643c69311677c574a0f17a3f4d66a5f3744b", "status": "affected", "versionType": "git" }, { "version": "f2451def095c1743adcfcb0cb5dadc86034e162a", "status": "affected", "versionType": "git" }, { "version": "a1f93804449d13f97dabd4b996817de4bf1ed67a", "status": "affected", "versionType": "git" }, { "version": "5.15.209", "lessThan": "5.16", "status": "affected", "versionType": "semver" }, { "version": "6.1.175", "lessThan": "6.2", "status": "affected", "versionType": "semver" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "fs/eventpoll.c" ], "versions": [ { "version": "6.4", "status": "affected" }, { "version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver" }, { "version": "6.6.144", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.12.95", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.18.33", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver" }, { "version": "7.0.10", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver" }, { "version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.6.144" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.12.95" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.18.33" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "7.0.10" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "7.1" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.209" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.175" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/2de4db145b2992da496fea6c51f9839be678ae24" }, { "url": "https://git.kernel.org/stable/c/9324de74a3a59b9fde9b62ee45ebaa71458ba2e5" }, { "url": "https://git.kernel.org/stable/c/ef4ca02e95363e78977ca04340d44fe3b4b2b81f" }, { "url": "https://git.kernel.org/stable/c/ced39b6a8062bac5c18a1c3df85634107eb8664a" }, { "url": "https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b" } ], "title": "eventpoll: fix ep_remove struct eventpoll / struct file UAF", "x_generator": { "engine": "bippy-1.2.0" } }, "adp": [ { "title": "CVE Program Container", "references": [ { "url": "http://www.openwall.com/lists/oss-security/2026/07/08/14" } ], "providerMetadata": { "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-07-09T00:31:40.940Z" } } ] } }