NVD

CVE-2026-46242 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file UAF ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free(). For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed kmalloc-192 memory. In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache. Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs. If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there. A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

Nist CVSS score does not match with CNA score

CNA: kernel.org

Base Score: 7.8 HIGH

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b	kernel.org	Patch
https://git.kernel.org/stable/c/ced39b6a8062bac5c18a1c3df85634107eb8664a	kernel.org	Patch
https://git.kernel.org/stable/c/ef4ca02e95363e78977ca04340d44fe3b4b2b81f	kernel.org	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-416	Use After Free	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

CVE Modified by kernel.org 6/17/2026 6:53:23 AM

Action

Type

Old Value

New Value

Added

Affected

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/eventpoll.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"58c9b016e12855286370dfb704c08498edbc857a","lessThan":"ef4ca02e95363e78977ca04340d44fe3b4b2b81f","versionType":"git","status":"affected"},{"version":"58c9b016e12855286370dfb704c08498edbc857a","lessThan":"ced39b6a8062bac5c18a1c3df85634107eb8664a","versionType":"git","status":"affected"},{"version":"58c9b016e12855286370dfb704c08498edbc857a","lessThan":"a6dc643c69311677c574a0f17a3f4d66a5f3744b","versionType":"git","status":"affected"},{"version":"f2451def095c1743adcfcb0cb5dadc86034e162a","versionType":"git","status":"affected"},{"version":"a1f93804449d13f97dabd4b996817de4bf1ed67a","versionType":"git","status":"affected"},{"version":"5.15.209","lessThan":"5.16","versionType":"semver","status":"affected"},{"version":"6.1.175","lessThan":"6.2","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/eventpoll.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.4","status":"affected"},{"version":"0","lessThan":"6.4","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

Initial Analysis by NIST 6/10/2026 5:18:49 PM

Action	Type	New Value
Added	CWE	CWE-416
Added	CPE Configuration	OR cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.19 up to (excluding) 7.0.10 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.15.209 up to (excluding) 5.16 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.1.175 up to (excluding) 6.2 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.4 up to (excluding) 6.18.33
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/ced39b6a8062bac5c18a1c3df85634107eb8664a Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/ef4ca02e95363e78977ca04340d44fe3b4b2b81f Types: Patch

New CVE Received from kernel.org 5/30/2026 9:16:21 AM

Action	Type	New Value
Added	Description	Record truncated, showing 2048 of 2153 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file UAF ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free(). For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed kmalloc-192 memory. In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache. Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs. If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there. A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redunda
Added	Reference	https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b
Added	Reference	https://git.kernel.org/stable/c/ced39b6a8062bac5c18a1c3df85634107eb8664a
Added	Reference	https://git.kernel.org/stable/c/ef4ca02e95363e78977ca04340d44fe3b4b2b81f

Quick Info

CVE Dictionary Entry:
CVE-2026-46242
NVD Published Date:
05/30/2026
NVD Last Modified:
06/17/2026
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2026-46242 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

CVE Modified by kernel.org 6/17/2026 6:53:23 AM

Initial Analysis by NIST 6/10/2026 5:18:49 PM

CVE Modified by kernel.org 6/05/2026 3:16:30 AM

New CVE Received from kernel.org 5/30/2026 9:16:21 AM

Quick Info