Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46242

CVE-2026-46242: Linux Kernel Use-After-Free Vulnerability

CVE-2026-46242 is a use-after-free vulnerability in the Linux kernel's eventpoll subsystem that can lead to memory corruption. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-46242 Overview

CVE-2026-46242 is a use-after-free vulnerability in the Linux kernel's eventpoll (epoll) subsystem. The flaw resides in ep_remove() and its helper ep_remove_file(), where file->f_ep is cleared under file->f_lock but the @file pointer continues to be used inside the critical section. A concurrent __fput() taking the eventpoll_release() fastpath can observe the transient NULL, skip eventpoll_release_file(), and free the watched struct eventpoll. The result is memory corruption against freed kmalloc-192 memory and, because struct file is SLAB_TYPESAFE_BY_RCU, an attacker-controllable kmem_cache_free() against the wrong slab cache.

Critical Impact

Concurrent epoll teardown can corrupt freed kernel slab memory and trigger an attacker-influenced free against the wrong cache, enabling potential local privilege escalation.

Affected Products

  • Linux kernel (mainline) with the affected fs/eventpoll.c implementation
  • Stable kernel branches prior to commits a6dc643c6931, ced39b6a8062, and ef4ca02e9536
  • Linux distributions shipping unpatched kernels derived from the affected branches

Discovery Timeline

  • 2026-05-30 - CVE-2026-46242 published to NVD
  • 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-46242

Vulnerability Analysis

The vulnerability stems from a race between ep_remove() and __fput() during epoll cleanup. ep_remove_file() clears file->f_ep while holding file->f_lock, but then continues to dereference @file for is_file_epoll() checks, hlist_del_rcu() traversal, and the trailing spin_unlock. A concurrent __fput() reading f_ep == NULL exits through the eventpoll_release() fastpath without calling eventpoll_release_file(), allowing the file's f_op->release handler to run while ep_remove() is still using it.

For the epoll-watches-epoll scenario, f_op->release is ep_eventpoll_release(), which invokes ep_clear_and_put() and ultimately ep_free(). This kfree()s the watched struct eventpoll, whose embedded ->refs hlist_head is the exact target referenced by epi->fllink.pprev. The subsequent hlist_del_rcu() then performs *pprev = next, writing into freed kmalloc-192 memory [CWE-416].

Root Cause

The root cause is that ep_remove() did not pin the lifetime of @file for the duration of its critical section. Clearing file->f_ep under f_lock opened a window where another thread could drop the final reference, free the watched eventpoll, and recycle the file slot through the SLAB_TYPESAFE_BY_RCU cache, reinitializing f_lock and f_ep while the original lock was still held nominally.

Attack Vector

A local attacker with the ability to create and tear down epoll instances concurrently can race ep_remove() against __fput() on a watched epoll file descriptor. Winning the race produces a write into freed kernel slab memory and a misdirected kmem_cache_free(), which can be steered toward heap corruption primitives. The fix pins @file via epi_fget() at the top of ep_remove() and gates the critical section on the pin succeeding, holding __fput() off until the cleanup completes.

No public exploit code is referenced in the disclosure. See the upstream commits for the corrected logic.

Detection Methods for CVE-2026-46242

Indicators of Compromise

  • Kernel oops or panic messages referencing ep_remove, ep_remove_file, hlist_del_rcu, or ep_clear_and_put in dmesg and /var/log/kern.log
  • KASAN reports identifying use-after-free in kmalloc-192 allocations tied to eventpoll structures
  • Slab corruption warnings (kmem_cache_free against an unexpected cache) appearing during heavy epoll workloads

Detection Strategies

  • Enable KASAN on test kernels and run epoll stress workloads that close watched epoll FDs concurrently to surface the race
  • Monitor for unexpected process crashes or kernel panics on hosts running multi-threaded applications that use nested epoll (epoll-watches-epoll)
  • Correlate kernel crash telemetry with workloads that intensively use epoll_ctl(EPOLL_CTL_DEL) and close() from multiple threads

Monitoring Recommendations

  • Centralize kernel ring buffer and crash dump collection from Linux endpoints for retrospective analysis
  • Alert on repeated soft lockups, RCU stalls, or general protection faults originating in fs/eventpoll.c
  • Track kernel package versions across the fleet to identify hosts still running pre-patch builds

How to Mitigate CVE-2026-46242

Immediate Actions Required

  • Apply the upstream kernel patches referenced below and reboot affected systems
  • Inventory Linux hosts and prioritize multi-tenant, container, and shared-compute environments where local code execution is reachable
  • Restrict untrusted local code execution on hosts that cannot be patched immediately

Patch Information

The fix pins @file via epi_fget() at the entry of ep_remove() and only enters the critical section if the pin succeeds. With the pin held, @file cannot reach refcount zero, blocking __fput() and keeping the watched struct eventpoll alive across the hlist_del_rcu() and f_lock use. A failed pin diverts the racing __fput() into the eventpoll_release_file() slow path, which blocks on ep->mtx until cleanup completes. The redundant re-check of epi->dying under f_lock is dropped. See the upstream commits a6dc643c6931, ced39b6a8062, and ef4ca02e9536.

Workarounds

  • No supported workaround exists; the only complete remediation is applying the upstream patch
  • Reduce exposure by limiting local user access and disabling untrusted workloads on shared kernels until patched
  • Use distribution-provided live patching where available to close the window without rebooting
bash
# Verify kernel version and pending updates
uname -r
# Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade linux-image-$(uname -r)
# RHEL/Rocky/Alma
sudo dnf update kernel
# Reboot to load the patched kernel
sudo systemctl reboot

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.