PatchSiren cyber security CVE debrief
CVE-2026-46274 Linux CVE debrief
A use-after-free vulnerability was discovered in the Linux kernel's io-wq subsystem. The io_wq_remove_pending function did not properly check if the predecessor work was hashed before updating the hash_tail array. This could lead to a dangling pointer being stored in the hash_tail array, allowing for remote code execution.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-14
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-14
Who should care
Users of the Linux kernel, particularly those who use the io-wq subsystem, should be aware of this vulnerability and take steps to patch their systems.
Technical summary
The io_wq_remove_pending function in the Linux kernel did not properly check if the predecessor work was hashed before updating the hash_tail array. This could lead to a use-after-free error and potentially allow for remote code execution.
Defensive priority
HIGH
Recommended defensive actions
- Apply the patch from the Linux kernel repository [ref-4](https://git.kernel.org/stable/c/252c5051dba9c709b6a72f2866f93e5e618b3f06)
- Update to a version of the Linux kernel that includes the fix
Evidence notes
The CVE record [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-46274) and NVD detail [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-46274) provide additional information about this vulnerability.
Official resources
-
CVE-2026-46274 CVE record
CVE.org
-
CVE-2026-46274 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVE-2026-46274 was published on 2026-06-08T16:16:40.707Z and modified on 2026-06-14T06:16:22.063Z.