PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46242 Linux CVE debrief

A use-after-free (UAF) vulnerability in the Linux kernel's eventpoll (epoll) subsystem allows concurrent operations to trigger memory corruption. The flaw exists in ep_remove() where a struct file pointer is used after its reference count may have dropped to zero, enabling writes to freed kmalloc-192 memory and potential attacker-controllable kmem_cache_free() against incorrect slab caches. The vulnerability specifically affects nested epoll configurations where an epoll watch monitors another epoll instance. A fix pins the struct file reference for the duration of the critical section, preventing the race with __fput() and subsequent premature freeing of the watched struct eventpoll.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-30
Original CVE updated
2026-06-01
Advisory published
2026-05-30
Advisory updated
2026-06-01

Who should care

Linux kernel maintainers, cloud providers running multi-tenant workloads, container platform operators, and organizations with systems using nested epoll patterns or exposing epoll-based services to untrusted code.

Technical summary

The vulnerability is a race condition in the Linux kernel's eventpoll subsystem, specifically in ep_remove() and ep_remove_file(). The function clears file->f_ep under file->f_lock but continues using the @file pointer within the critical section. A concurrent __fput() taking the eventpoll_release() fastpath can observe a transient NULL in file->f_ep, skip eventpoll_release_file(), and proceed to f_op->release and file_free(). For nested epoll (epoll watching epoll), this triggers ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the struct eventpoll. The embedded ->refs hlist_head is then targeted by a subsequent hlist_del_rcu() operation, causing a write to freed kmalloc-192 memory. Additionally, because struct file is SLAB_TYPESAFE_BY_RCU, the backing memory can be recycled by alloc_empty_file() while ep_remove() still holds the lock, leading to potential kmem_cache_free() against the wrong slab cache. The fix adds epi_fget() to pin the struct file reference at the start of ep_remove(), ensuring __fput() cannot complete and the struct eventpoll remains alive through the critical section. If pinning fails, the file has already reached refcount zero and the slow path through eventpoll_release_file() handles cleanup safely.

Defensive priority

high

Recommended defensive actions

  • Apply the referenced stable kernel commits as soon as available for your distribution.
  • Prioritize patching systems that use nested epoll configurations or untrusted workloads with epoll.
  • Monitor for stable kernel updates from your Linux distribution containing the fix commits.
  • Consider enabling kernel livepatching if available to apply fixes without reboot on critical systems.
  • Review application architectures that rely on epoll-watches-epoll patterns for potential exposure.

Evidence notes

The vulnerability description was published 2026-05-30 and modified 2026-06-01. The fix involves adding epi_fget() at the top of ep_remove() to pin the struct file reference, gating the critical section on successful pinning. This prevents __fput() from proceeding while the file is in use, which transitively keeps the watched struct eventpoll alive across hlist_del_rcu() and f_lock operations. Three stable kernel commits are referenced as fixes.

Official resources

2026-05-30T13:16:21.980Z