CVE-2026-46242 Overview
CVE-2026-46242 is a use-after-free vulnerability in the Linux kernel's eventpoll (epoll) subsystem. The flaw resides in ep_remove() and its helper ep_remove_file(), where file->f_ep is cleared under file->f_lock but the @file pointer continues to be used inside the critical section. A concurrent __fput() taking the eventpoll_release() fastpath can observe the transient NULL, skip eventpoll_release_file(), and free the watched struct eventpoll. The result is memory corruption against freed kmalloc-192 memory and, because struct file is SLAB_TYPESAFE_BY_RCU, an attacker-controllable kmem_cache_free() against the wrong slab cache.
Critical Impact
Concurrent epoll teardown can corrupt freed kernel slab memory and trigger an attacker-influenced free against the wrong cache, enabling potential local privilege escalation.
Affected Products
- Linux kernel (mainline) with the affected fs/eventpoll.c implementation
- Stable kernel branches prior to commits a6dc643c6931, ced39b6a8062, and ef4ca02e9536
- Linux distributions shipping unpatched kernels derived from the affected branches
Discovery Timeline
- 2026-05-30 - CVE-2026-46242 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-46242
Vulnerability Analysis
The vulnerability stems from a race between ep_remove() and __fput() during epoll cleanup. ep_remove_file() clears file->f_ep while holding file->f_lock, but then continues to dereference @file for is_file_epoll() checks, hlist_del_rcu() traversal, and the trailing spin_unlock. A concurrent __fput() reading f_ep == NULL exits through the eventpoll_release() fastpath without calling eventpoll_release_file(), allowing the file's f_op->release handler to run while ep_remove() is still using it.
For the epoll-watches-epoll scenario, f_op->release is ep_eventpoll_release(), which invokes ep_clear_and_put() and ultimately ep_free(). This kfree()s the watched struct eventpoll, whose embedded ->refs hlist_head is the exact target referenced by epi->fllink.pprev. The subsequent hlist_del_rcu() then performs *pprev = next, writing into freed kmalloc-192 memory [CWE-416].
Root Cause
The root cause is that ep_remove() did not pin the lifetime of @file for the duration of its critical section. Clearing file->f_ep under f_lock opened a window where another thread could drop the final reference, free the watched eventpoll, and recycle the file slot through the SLAB_TYPESAFE_BY_RCU cache, reinitializing f_lock and f_ep while the original lock was still held nominally.
Attack Vector
A local attacker with the ability to create and tear down epoll instances concurrently can race ep_remove() against __fput() on a watched epoll file descriptor. Winning the race produces a write into freed kernel slab memory and a misdirected kmem_cache_free(), which can be steered toward heap corruption primitives. The fix pins @file via epi_fget() at the top of ep_remove() and gates the critical section on the pin succeeding, holding __fput() off until the cleanup completes.
No public exploit code is referenced in the disclosure. See the upstream commits for the corrected logic.
Detection Methods for CVE-2026-46242
Indicators of Compromise
- Kernel oops or panic messages referencing ep_remove, ep_remove_file, hlist_del_rcu, or ep_clear_and_put in dmesg and /var/log/kern.log
- KASAN reports identifying use-after-free in kmalloc-192 allocations tied to eventpoll structures
- Slab corruption warnings (kmem_cache_free against an unexpected cache) appearing during heavy epoll workloads
Detection Strategies
- Enable KASAN on test kernels and run epoll stress workloads that close watched epoll FDs concurrently to surface the race
- Monitor for unexpected process crashes or kernel panics on hosts running multi-threaded applications that use nested epoll (epoll-watches-epoll)
- Correlate kernel crash telemetry with workloads that intensively use epoll_ctl(EPOLL_CTL_DEL) and close() from multiple threads
Monitoring Recommendations
- Centralize kernel ring buffer and crash dump collection from Linux endpoints for retrospective analysis
- Alert on repeated soft lockups, RCU stalls, or general protection faults originating in fs/eventpoll.c
- Track kernel package versions across the fleet to identify hosts still running pre-patch builds
How to Mitigate CVE-2026-46242
Immediate Actions Required
- Apply the upstream kernel patches referenced below and reboot affected systems
- Inventory Linux hosts and prioritize multi-tenant, container, and shared-compute environments where local code execution is reachable
- Restrict untrusted local code execution on hosts that cannot be patched immediately
Patch Information
The fix pins @file via epi_fget() at the entry of ep_remove() and only enters the critical section if the pin succeeds. With the pin held, @file cannot reach refcount zero, blocking __fput() and keeping the watched struct eventpoll alive across the hlist_del_rcu() and f_lock use. A failed pin diverts the racing __fput() into the eventpoll_release_file() slow path, which blocks on ep->mtx until cleanup completes. The redundant re-check of epi->dying under f_lock is dropped. See the upstream commits a6dc643c6931, ced39b6a8062, and ef4ca02e9536.
Workarounds
- No supported workaround exists; the only complete remediation is applying the upstream patch
- Reduce exposure by limiting local user access and disabling untrusted workloads on shared kernels until patched
- Use distribution-provided live patching where available to close the window without rebooting
# Verify kernel version and pending updates
uname -r
# Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade linux-image-$(uname -r)
# RHEL/Rocky/Alma
sudo dnf update kernel
# Reboot to load the patched kernel
sudo systemctl reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

