CVE-2026-43074 Overview
CVE-2026-43074 is a use-after-free vulnerability in the Linux kernel's eventpoll subsystem. The flaw exists in ep_free() within eventpoll.c, where the kernel frees the epi->ep eventpoll structure while another concurrent thread still references it. The upstream fix defers the kfree() to a Read-Copy-Update (RCU) callback, ensuring the structure is only released after a grace period expires. The vulnerability affects local attackers capable of issuing epoll syscalls and racing file descriptor lifecycle operations across threads.
Critical Impact
Concurrent access to a freed eventpoll structure can lead to kernel memory corruption, information disclosure, or local privilege escalation on affected Linux systems.
Affected Products
- Linux kernel (mainline) prior to the commits backporting the RCU-deferred free fix
- Stable Linux kernel branches receiving the referenced backport commits
- Linux distributions shipping unpatched kernels with the vulnerable eventpoll code path
Discovery Timeline
- 2026-05-06 - CVE-2026-43074 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43074
Vulnerability Analysis
The Linux kernel's eventpoll subsystem implements the epoll family of system calls used for scalable I/O event notification. Each epoll instance is represented by a struct eventpoll, and individual watched file descriptors are tracked via struct epitem (epi) entries that hold a back-pointer epi->ep to the parent eventpoll.
When the kernel tears down an epoll instance, ep_free() releases the struct eventpoll with kfree(). Under specific concurrent conditions, another thread can still hold or follow a reference to that structure through an epitem. The freeing thread and the accessing thread race, and the second thread dereferences memory that has already been returned to the slab allocator. This results in a classic use-after-free [CWE-416] within kernel address space.
Use-after-free conditions in the kernel are exploitable for memory disclosure or, when the freed slab is reclaimed by attacker-controlled allocations, for arbitrary write primitives leading to privilege escalation.
Root Cause
The root cause is a missing synchronization guarantee between the deallocation path in ep_free() and concurrent readers of the eventpoll structure. The original code assumed exclusive ownership at free time, but lookup paths reachable from other threads could still observe the pointer. Without an RCU grace period, the allocator could recycle the memory before all readers finished.
Attack Vector
Exploitation requires local code execution to invoke epoll_create, epoll_ctl, and close syscalls across multiple threads in a tight race window. The attacker triggers the teardown of an eventpoll instance while a parallel thread is still operating on an associated epitem, causing dereference of freed memory. The fix replaces the direct kfree() with kfree_rcu() or an equivalent call_rcu() callback so the memory is only released after a quiescent state. Refer to the upstream patches for technical details: Linux Kernel Commit 07712db8, Commit 5b1173b1, Commit 7e8083f5, Commit a6566cd3, and Commit ae0bb9c1.
Detection Methods for CVE-2026-43074
Indicators of Compromise
- Kernel oops or panic logs referencing ep_free, ep_remove, or eventpoll.c with slab corruption signatures
- KASAN reports identifying use-after-free reads or writes in the eventpoll subsystem
- Unexpected process crashes for binaries that heavily use epoll_ctl and epoll_wait under load
Detection Strategies
- Enable CONFIG_KASAN on test or canary hosts to surface use-after-free events in eventpoll paths
- Monitor kernel ring buffer (dmesg) for slab-out-of-bounds and UAF traces involving epitem or eventpoll structures
- Audit installed kernel package versions against distribution advisories that backport the referenced upstream commits
Monitoring Recommendations
- Collect and centralize kernel logs from all Linux endpoints and servers for retroactive search of eventpoll UAF signatures
- Track local processes spawning high-frequency epoll_create1 followed by rapid teardown, which can indicate race exploitation attempts
- Alert on unexpected kernel module loads or privilege transitions following kernel crash events
How to Mitigate CVE-2026-43074
Immediate Actions Required
- Inventory all Linux hosts and identify kernels that do not contain the RCU-deferred free fix for struct eventpoll
- Apply vendor-supplied kernel updates from your distribution as soon as they ship the backported commits
- Reboot affected systems after patching, since live kernels cannot be hot-swapped without livepatch tooling
- Restrict local shell access on multi-tenant systems until patches are deployed
Patch Information
The fix defers the kfree() of struct eventpoll to an RCU callback so the memory is only released after a grace period, eliminating the race against concurrent readers. The change is distributed across the upstream commits 07712db8, 5b1173b1, 7e8083f5, a6566cd3, and ae0bb9c1 referenced in the NVD entry. Apply the kernel package from your Linux distribution that incorporates these commits.
Workarounds
- No reliable workaround exists short of patching, because epoll is widely used by system services and cannot be disabled
- Reduce exposure by limiting untrusted local users on shared systems and enforcing seccomp profiles that constrain syscall surface for low-trust workloads
- Apply mandatory access control policies (SELinux, AppArmor) to confine processes that do not require epoll heavy multithreading
# Verify the running kernel version and confirm patch application
uname -r
# Debian/Ubuntu: update and install the latest kernel package
sudo apt update && sudo apt install --only-upgrade linux-image-$(uname -r)
# RHEL/CentOS/Fedora: update kernel package
sudo dnf update kernel
# Reboot to load the patched kernel
sudo systemctl reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
