eventpoll: fix ep_remove struct eventpoll / struct file UAF
Summary
| CVE | CVE-2026-46242 |
|---|
| State | PUBLISHED |
|---|
| Assigner | Linux |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2026-05-30 13:16:21 UTC |
|---|
| Updated | 2026-05-30 13:16:21 UTC |
|---|
| Description | In the Linux kernel, the following vulnerability has been resolved:
eventpoll: fix ep_remove struct eventpoll / struct file UAF
ep_remove() (via ep_remove_file()) cleared file->f_ep under
file->f_lock but then kept using @file inside the critical section
(is_file_epoll(), hlist_del_rcu() through the head, spin_unlock).
A concurrent __fput() taking the eventpoll_release() fastpath in
that window observed the transient NULL, skipped
eventpoll_release_file() and ran to f_op->release / file_free().
For the epoll-watches-epoll case, f_op->release is
ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which
kfree()s the watched struct eventpoll. Its embedded ->refs
hlist_head is exactly where epi->fllink.pprev points, so the
subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed
kmalloc-192 memory.
In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot
backing @file could be recycled by alloc_empty_file() --
reinitializing f_lock and f_ep -- while ep_remove() is still
nominally inside that lock. The upshot is an attacker-controllable
kmem_cache_free() against the wrong slab cache.
Pin @file via epi_fget() at the top of ep_remove() and gate the
critical section on the pin succeeding. With the pin held @file
cannot reach refcount zero, which holds __fput() off and
transitively keeps the watched struct eventpoll alive across the
hlist_del_rcu() and the f_lock use, closing both UAFs.
If the pin fails @file has already reached refcount zero and its
__fput() is in flight. Because we bailed before clearing f_ep,
that path takes the eventpoll_release() slow path into
eventpoll_release_file() and blocks on ep->mtx until the waiter
side's ep_clear_and_put() drops it. The bailed epi's share of
ep->refcount stays intact, so the trailing ep_refcount_dec_and_test()
in ep_clear_and_put() cannot free the eventpoll out from under
eventpoll_release_file(); the orphaned epi is then cleaned up
there.
A successful pin also proves we are not racing
eventpoll_release_file() on this epi, so drop the now-redundant
re-check of epi->dying under f_lock. The cheap lockless
READ_ONCE(epi->dying) fast-path bailout stays. |
|---|
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|
| CNA |
Linux |
Linux |
affected 58c9b016e12855286370dfb704c08498edbc857a ef4ca02e95363e78977ca04340d44fe3b4b2b81f git |
Not specified |
| CNA |
Linux |
Linux |
affected 58c9b016e12855286370dfb704c08498edbc857a ced39b6a8062bac5c18a1c3df85634107eb8664a git |
Not specified |
| CNA |
Linux |
Linux |
affected 58c9b016e12855286370dfb704c08498edbc857a a6dc643c69311677c574a0f17a3f4d66a5f3744b git |
Not specified |
| CNA |
Linux |
Linux |
affected 6.4 |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.4 semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.18.33 6.18.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 7.0.10 7.0.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 7.1-rc1 * original_commit_for_fix |
Not specified |
References
| Reference | Source | Link | Tags |
|---|
| git.kernel.org/stable/c/ced39b6a8062bac5c18a1c3df85634107eb8664a |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/ef4ca02e95363e78977ca04340d44fe3b4b2b81f |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.
