CVE-2026-46242
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux Kernel eventpoll

Publication date: 2026-05-30

Last updated on: 2026-06-10

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file UAF ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free(). For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed kmalloc-192 memory. In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache. Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs. If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there. A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-30
Last Modified
2026-06-10
Generated
2026-06-19
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2026-46242
EUVD
EUVD-2026-33459
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 7.0.10 (exc)
linux linux_kernel From 5.15.209 (inc) to 5.16 (exc)
linux linux_kernel From 6.1.175 (inc) to 6.2 (exc)
linux linux_kernel From 6.4 (inc) to 6.18.33 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free (UAF) issue in the Linux kernel's eventpoll subsystem, specifically in the ep_remove() function. The problem occurs because ep_remove() clears a pointer (file->f_ep) under a lock but continues to use the file structure inside the critical section. Concurrently, another function (__fput()) may observe this cleared pointer and skip necessary cleanup steps, leading to the freeing of memory that is still in use.

This results in subsequent operations writing into freed memory, causing memory corruption. Additionally, the file structure can be recycled and reinitialized while still in use, allowing an attacker to manipulate kernel memory caches incorrectly.

The fix involves pinning the file structure at the start of ep_remove() to prevent it from being freed while still in use, ensuring proper synchronization and preventing the use-after-free condition.

Impact Analysis

This vulnerability can lead to memory corruption in the Linux kernel, which may be exploitable by an attacker to cause system instability, crashes, or potentially execute arbitrary code with kernel privileges.

Because it involves use-after-free and improper memory handling, an attacker with the ability to trigger this vulnerability could compromise the security and reliability of the affected system.

Mitigation Strategies

The vulnerability has been resolved by changes in the Linux kernel's eventpoll subsystem, specifically by pinning the file structure at the start of ep_remove() to prevent use-after-free conditions.

Immediate mitigation steps would typically include updating the Linux kernel to a version that contains this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46242. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart