PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46106 Linux CVE debrief

A race condition in the Linux kernel's eventfs subsystem allows use-after-free and memory corruption during concurrent remount operations and event descriptor modifications. The vulnerability exists because tracefs_apply_options() held only rcu_read_lock() while walking eventfs_inode children during remount, but this protection is insufficient against list_del_rcu() operations in eventfs_remove_rec() and SRCU-based reclamation of eventfs_inodes. Additionally, writes to ei->attr raced with eventfs_set_attr() which properly holds eventfs_mutex. The fix introduces eventfs_remount_lock() and eventfs_remount_unlock() to properly synchronize these operations with both eventfs_mutex and srcu_read_lock(&eventfs_srcu).

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Linux system administrators, kernel maintainers, security teams in organizations running custom kernel builds with dynamic tracing enabled, and developers of security monitoring tools that rely on kernel tracing infrastructure

Technical summary

The vulnerability stems from improper synchronization in the eventfs filesystem implementation within the Linux kernel's tracing infrastructure. When tracefs_apply_options() performs a remount operation, it iterates through eventfs_inode children to apply attribute changes. The original code held only rcu_read_lock(), which provides insufficient protection against: (1) concurrent list_del_rcu() operations in eventfs_remove_rec() that can cause LIST_POISON1 dereferences, (2) SRCU-based reclamation of eventfs_inodes since rcu_read_lock() does not extend SRCU grace periods, and (3) racing writes to ei->attr from eventfs_set_attr() which holds eventfs_mutex. The fix introduces eventfs_remount_lock() and eventfs_remount_unlock() helpers that acquire both eventfs_mutex and srcu_read_lock(&eventfs_srcu), ensuring proper exclusion against all concurrent modification paths. The nested rcu_read_lock() remains safe as eventfs_set_attrs() does not sleep.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates containing commits 07004a8c4b572, 44e64d8a43283, 52b109f1b875b, ae9cd0b46b189, or ed2ad73bcb0a7 from the stable kernel tree
  • Restrict unprivileged access to /sys/kernel/tracing and kprobe_events interfaces
  • Monitor for kernel crashes or memory corruption indicators in systems using dynamic tracing
  • Review custom tracing deployments for concurrent remount patterns
  • Validate kernel lockdep warnings related to eventfs_mutex or eventfs_srcu

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-28. The fix involves five stable kernel commits across different kernel versions. No CVSS score has been assigned as of the modified date (2026-05-28T13:44:01.663Z). The vendor is identified as the Linux Kernel project based on source repository references.

Official resources

2026-05-28