CVE-2026-46259 Overview
CVE-2026-46259 is a use-after-free vulnerability in the Linux kernel's procfs subsystem. The flaw resides in do_task_stat(), which reads /proc/[pid]/stat entries. The function accesses task->real_parent without holding the Read-Copy-Update (RCU) read lock, creating a race condition with release_task(). A concurrent task release can free the parent task structure between the pointer load and its dereference inside task_tgid_nr_ns(), producing a use-after-free condition [CWE-416].
Critical Impact
Local attackers reading /proc/[pid]/stat while a parent process exits can trigger a kernel use-after-free, potentially leading to memory corruption, information disclosure, or privilege escalation.
Affected Products
- Linux kernel (mainline, multiple stable branches)
- Linux distributions shipping vulnerable kernel versions prior to the referenced stable commits
- Systems exposing /proc/[pid]/stat to unprivileged users (default on virtually all Linux installs)
Discovery Timeline
- 2026-06-03 - CVE-2026-46259 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46259
Vulnerability Analysis
The do_task_stat() function in fs/proc/array.c reads parent task information when servicing /proc/[pid]/stat. The original code loads task->real_parent into a local variable outside of any RCU read-side critical section. The pointer is then passed to task_tgid_nr_ns(), which only acquires rcu_read_lock() internally before dereferencing the parent task.
Between the initial pointer load and the later RCU acquisition, another CPU executing release_task() can call call_rcu(delayed_put_task_struct). Because the reader never held the RCU lock when it captured the pointer, RCU's grace-period guarantees do not apply. The parent task structure can be freed while the reader still holds a stale reference, and the subsequent task_pid_ptr() call dereferences freed memory.
Root Cause
The defect is an ordering bug: the RCU read-side critical section starts after the protected pointer has already been captured. RCU protects readers only when the lock surrounds both the load of the published pointer and its dereference. The fix replaces task_tgid_nr_ns() with task_ppid_nr_ns(), which correctly performs the real_parent read inside an RCU-protected region.
Attack Vector
An unprivileged local user can repeatedly open and read /proc/[pid]/stat for processes whose parents are exiting. By racing reads against parent exit on a multi-core system, an attacker can reliably hit the window between the unprotected pointer load and the late rcu_read_lock(). Successful exploitation dereferences freed task_struct memory, which an attacker can groom via heap-spraying primitives to influence kernel control flow or leak kernel memory contents.
No public proof-of-concept exploitation code is currently associated with this CVE. Technical details are available in the upstream kernel commits referenced by the Linux kernel stable tree.
Detection Methods for CVE-2026-46259
Indicators of Compromise
- Kernel oops or panic messages referencing do_task_stat, task_tgid_nr_ns, or task_pid_ptr in dmesg and /var/log/kern.log
- KASAN reports identifying use-after-free reads inside do_task_stat() when KASAN-enabled kernels are deployed
- Unprivileged processes performing high-frequency reads of /proc/*/stat concurrent with process termination activity
Detection Strategies
- Compare running kernel version against the fixed commits listed on the kernel.org stable tree and flag hosts running unpatched builds
- Monitor for anomalous procfs scanning patterns where a single non-root process opens thousands of /proc/[pid]/stat entries per second
- Enable KASAN and panic_on_oops=1 in test environments to surface latent triggering of the race during fuzzing
Monitoring Recommendations
- Collect kernel logs centrally and alert on use-after-free signatures or task_struct-related oops events
- Track process-level syscall telemetry for openat against /proc/[0-9]+/stat paired with parent process exits
- Audit kernel package versions across the fleet and prioritize hosts running long-lived, unpatched kernels
How to Mitigate CVE-2026-46259
Immediate Actions Required
- Apply the upstream kernel patches referenced in the kernel.org stable tree and reboot affected systems
- Update to vendor-supplied kernel packages once distributions backport the fix to their supported branches
- Inventory hosts exposing /proc to untrusted local users, including multi-tenant servers and container hosts
Patch Information
The fix replaces task_tgid_nr_ns(task->real_parent) with task_ppid_nr_ns(task), which performs the parent lookup inside a proper RCU read-side critical section. The patch has been merged across multiple stable branches. See the upstream commits: 0e64bd46a04a, 1c8dc5b55175, 4f9ae386861e, 73ec7c96601d, 76149d53502c, c93a33f28f91, dd8b13cb4ff1, and fefa0fcd78be.
Workarounds
- Restrict procfs visibility with the hidepid=2 mount option on /proc to limit which processes unprivileged users can enumerate
- Apply seccomp or AppArmor profiles to untrusted workloads that block openat against /proc/[pid]/stat for processes outside the caller's own PID
- In container environments, enforce user namespaces and avoid sharing the host PID namespace with untrusted containers
# Configuration example: restrict /proc visibility to a trusted group
mount -o remount,hidepid=2,gid=proc /proc
# Persist the setting in /etc/fstab
# proc /proc proc defaults,hidepid=2,gid=proc 0 0
# Verify the running kernel against the fixed stable commits
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
