{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46242","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.107Z","datePublished":"2026-05-30T12:13:45.594Z","dateUpdated":"2026-07-09T00:31:40.940Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-07-04T11:50:43.055Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: fix ep_remove struct eventpoll / struct file UAF\n\nep_remove() (via ep_remove_file()) cleared file->f_ep under\nfile->f_lock but then kept using @file inside the critical section\n(is_file_epoll(), hlist_del_rcu() through the head, spin_unlock).\nA concurrent __fput() taking the eventpoll_release() fastpath in\nthat window observed the transient NULL, skipped\neventpoll_release_file() and ran to f_op->release / file_free().\n\nFor the epoll-watches-epoll case, f_op->release is\nep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which\nkfree()s the watched struct eventpoll. Its embedded ->refs\nhlist_head is exactly where epi->fllink.pprev points, so the\nsubsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed\nkmalloc-192 memory.\n\nIn addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot\nbacking @file could be recycled by alloc_empty_file() --\nreinitializing f_lock and f_ep -- while ep_remove() is still\nnominally inside that lock. The upshot is an attacker-controllable\nkmem_cache_free() against the wrong slab cache.\n\nPin @file via epi_fget() at the top of ep_remove() and gate the\ncritical section on the pin succeeding. With the pin held @file\ncannot reach refcount zero, which holds __fput() off and\ntransitively keeps the watched struct eventpoll alive across the\nhlist_del_rcu() and the f_lock use, closing both UAFs.\n\nIf the pin fails @file has already reached refcount zero and its\n__fput() is in flight. Because we bailed before clearing f_ep,\nthat path takes the eventpoll_release() slow path into\neventpoll_release_file() and blocks on ep->mtx until the waiter\nside's ep_clear_and_put() drops it. The bailed epi's share of\nep->refcount stays intact, so the trailing ep_refcount_dec_and_test()\nin ep_clear_and_put() cannot free the eventpoll out from under\neventpoll_release_file(); the orphaned epi is then cleaned up\nthere.\n\nA successful pin also proves we are not racing\neventpoll_release_file() on this epi, so drop the now-redundant\nre-check of epi->dying under f_lock. The cheap lockless\nREAD_ONCE(epi->dying) fast-path bailout stays."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/eventpoll.c"],"versions":[{"version":"58c9b016e12855286370dfb704c08498edbc857a","lessThan":"2de4db145b2992da496fea6c51f9839be678ae24","status":"affected","versionType":"git"},{"version":"58c9b016e12855286370dfb704c08498edbc857a","lessThan":"9324de74a3a59b9fde9b62ee45ebaa71458ba2e5","status":"affected","versionType":"git"},{"version":"58c9b016e12855286370dfb704c08498edbc857a","lessThan":"ef4ca02e95363e78977ca04340d44fe3b4b2b81f","status":"affected","versionType":"git"},{"version":"58c9b016e12855286370dfb704c08498edbc857a","lessThan":"ced39b6a8062bac5c18a1c3df85634107eb8664a","status":"affected","versionType":"git"},{"version":"58c9b016e12855286370dfb704c08498edbc857a","lessThan":"a6dc643c69311677c574a0f17a3f4d66a5f3744b","status":"affected","versionType":"git"},{"version":"f2451def095c1743adcfcb0cb5dadc86034e162a","status":"affected","versionType":"git"},{"version":"a1f93804449d13f97dabd4b996817de4bf1ed67a","status":"affected","versionType":"git"},{"version":"5.15.209","lessThan":"5.16","status":"affected","versionType":"semver"},{"version":"6.1.175","lessThan":"6.2","status":"affected","versionType":"semver"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/eventpoll.c"],"versions":[{"version":"6.4","status":"affected"},{"version":"0","lessThan":"6.4","status":"unaffected","versionType":"semver"},{"version":"6.6.144","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.95","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.6.144"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.12.95"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.18.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"7.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"7.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.175"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2de4db145b2992da496fea6c51f9839be678ae24"},{"url":"https://git.kernel.org/stable/c/9324de74a3a59b9fde9b62ee45ebaa71458ba2e5"},{"url":"https://git.kernel.org/stable/c/ef4ca02e95363e78977ca04340d44fe3b4b2b81f"},{"url":"https://git.kernel.org/stable/c/ced39b6a8062bac5c18a1c3df85634107eb8664a"},{"url":"https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b"}],"title":"eventpoll: fix ep_remove struct eventpoll / struct file UAF","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/07/08/14"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-07-09T00:31:40.940Z"}}]}}