CVE-2026-46242
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
eventpoll: fix ep_remove struct eventpoll / struct file UAF
ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().
For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed kmalloc-192 memory.
In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() – reinitializing f_lock and f_ep – while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.
Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.
If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.
A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 58c9b016e12855286370dfb704c08498edbc857a < 2de4db145b2992da496fea6c51f9839be678ae24 | affected |
| Linux | Linux | 58c9b016e12855286370dfb704c08498edbc857a < 9324de74a3a59b9fde9b62ee45ebaa71458ba2e5 | affected |
| Linux | Linux | 58c9b016e12855286370dfb704c08498edbc857a < ef4ca02e95363e78977ca04340d44fe3b4b2b81f | affected |
| Linux | Linux | 58c9b016e12855286370dfb704c08498edbc857a < ced39b6a8062bac5c18a1c3df85634107eb8664a | affected |
| Linux | Linux | 58c9b016e12855286370dfb704c08498edbc857a < a6dc643c69311677c574a0f17a3f4d66a5f3744b | affected |
| Linux | Linux | f2451def095c1743adcfcb0cb5dadc86034e162a | affected |
| Linux | Linux | a1f93804449d13f97dabd4b996817de4bf1ed67a | affected |
| Linux | Linux | 5.15.209 < 5.16 | affected |
| Linux | Linux | 6.1.175 < 6.2 | affected |
| Linux | Linux | 6.4 | affected |
| Linux | Linux | 0 < 6.4 | unaffected |
| Linux | Linux | 6.6.144 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.95 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.33 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.10 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/2de4db145b2992da496fea6c51f9839be678ae24
- https://git.kernel.org/stable/c/9324de74a3a59b9fde9b62ee45ebaa71458ba2e5
- https://git.kernel.org/stable/c/ef4ca02e95363e78977ca04340d44fe3b4b2b81f
- https://git.kernel.org/stable/c/ced39b6a8062bac5c18a1c3df85634107eb8664a
- https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.