{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\neventpoll: fix ep_remove struct eventpoll \/ struct file UAF\\n\\nep_remove() (via ep_remove_file()) cleared file-\\u003ef_ep under\\nfile-\\u003ef_lock but then kept using @file inside the critical section\\n(is_file_epoll(), hlist_del_rcu() through the head, spin_unlock).\\nA concurrent __fput() taking the eventpoll_release() fastpath in\\nthat window observed the transient NULL, skipped\\neventpoll_release_file() and ran to f_op-\\u003erelease \/ file_free().\\n\\nFor the epoll-watches-epoll case, f_op-\\u003erelease is\\nep_eventpoll_release() -\\u003e ep_clear_and_put() -\\u003e ep_free(), which\\nkfree()s the watched struct eventpoll. Its embedded -\\u003erefs\\nhlist_head is exactly where epi-\\u003efllink.pprev points, so the\\nsubsequent hlist_del_rcu()’s \\”*pprev = next\\” scribbles into freed\\nkmalloc-192 memory.\\n\\nIn addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot\\nbacking @file could be recycled by alloc_empty_file() –\\nreinitializing f_lock and f_ep — while ep_remove() is still\\nnominally inside that lock. The upshot is an attacker-controllable\\nkmem_cache_free() against the wrong slab cache.\\n\\nPin @file via epi_fget() at the top of ep_remove() and gate the\\ncritical section on the pin succeeding. With the pin held @file\\ncannot reach refcount zero, which holds __fput() off and\\ntransitively keeps the watched struct eventpoll alive across the\\nhlist_del_rcu() and the f_lock use, closing both UAFs.\\n\\nIf the pin fails @file has already reached refcount zero and its\\n__fput() is in flight. Because we bailed before clearing f_ep,\\nthat path takes the eventpoll_release() slow path into\\neventpoll_release_file() and blocks on ep-\\u003emtx until the waiter\\nside’s ep_clear_and_put() drops it. The bailed epi’s share of\\nep-\\u003erefcount stays intact, so the trailing ep_refcount_dec_and_test()\\nin ep_clear_and_put() cannot free the eventpoll out from under\\neventpoll_release_file(); the orphaned epi is then cleaned up\\nthere.\\n\\nA successful pin also proves we are not racing\\neventpoll_release_file() on this epi, so drop the now-redundant\\nre-check of epi-\\u003edying under f_lock. The cheap lockless\\nREAD_ONCE(epi-\\u003edying) fast-path bailout stays.”,”published”:”2026-05-30T12:13:45.594Z”,”modified”:”2026-06-05T06:06:14.436Z”,”type”:”cve”,”title”:”eventpoll: fix ep_remove struct eventpoll \/ struct file UAF”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/ef4ca02e95363e78977ca04340d44fe3b4b2b81f\\nhttps:\/\/git.kernel.org\/stable\/c\/ced39b6a8062bac5c18a1c3df85634107eb8664a\\nhttps:\/\/git.kernel.org\/stable\/c\/a6dc643c69311677c574a0f17a3f4d66a5f3744b”,”id”:”CVE-2026-46242″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux 58c9b016e12855286370dfb704c08498edbc857a\\nLinux Linux 58c9b016e12855286370dfb704c08498edbc857a\\nLinux Linux 58c9b016e12855286370dfb704c08498edbc857a\\nLinux Linux f2451def095c1743adcfcb0cb5dadc86034e162a\\nLinux Linux a1f93804449d13f97dabd4b996817de4bf1ed67a\\nLinux Linux 5.15.209\\nLinux Linux 6.1.175\\nLinux Linux 6.4″,”sourceHref”:””,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”58c9b016e12855286370dfb704c08498edbc857a”,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\neventpoll: fix ep_remove struct eventpoll \/ struct file UAF\\n\\nep_remove() (via ep_remove_file()) cleared file-\\u003ef_ep under\\nfile-\\u003ef_lock but then…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,28,12,15,13,7,11,5],"class_list":["post-59992","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n