AI description
CVE-2026-46242, dubbed "Bad Epoll," is a use-after-free vulnerability found within the Linux kernel's `eventpoll` (epoll) subsystem. The flaw arises from a race condition during the cleanup process of `epoll` file descriptors. Specifically, the `file->f_ep` pointer is cleared in the `ep_remove()` and `ep_remove_file()` functions while the `@file` pointer continues to be referenced within a critical section. This timing issue allows a concurrent `__fput()` operation to observe a transient NULL state for `f_ep`, causing it to bypass necessary cleanup routines and free the `struct eventpoll` object prematurely. Consequently, subsequent operations attempt to access freed memory, leading to memory corruption. The vulnerability affects Linux kernel versions 5.10 through 6.11, impacting a wide range of systems including enterprise servers, desktops, and Android devices.
- Description
- In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file UAF ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free(). For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed kmalloc-192 memory. In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache. Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs. If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there. A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.
- Source
- 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- NVD status
- Modified
- Products
- linux_kernel
CVSS 3.1
- Type
- Secondary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- nvd@nist.gov
- CWE-416
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
7
Added 4 new LPE exploits to lpe-toolkit: - PEdit COW CVE-2026-46331 - DirtyClone CVE-2026-43503 - Bad Epoll CVE-2026-46242 - FUSE OOB CVE-2026-31694 https://t.co/BmdCcmBkWK
@portbuster1337
6 Jul 2026
3525 Impressions
21 Retweets
81 Likes
40 Bookmarks
1 Reply
0 Quotes
Linux-Kernel Bad Epoll CVE-2026-46242: Lokaler Nutzer erhält Root auf Kernel 6.4 und neuer Am 4. Juli 2026 wurde CVE-2026-46242 veröffentlicht, eine Use-after-free-Race-Co https://t.co/onahzNgWQO https://t.co/p0R4gM18Mh
@schoenfelderED
6 Jul 2026
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Bad Epoll (CVE-2026-46242) is a Linux kernel use-after-free flaw that lets unprivileged users gain root. Affects Linux 6.4+ and Android. For More: https://t.co/ciA4rj9abR #BadEpoll #CVE #LinuxKernel #PrivilegeEscalation #Android #InfoSec #CyberSecurity #LinuxSecurity https://t
@redsecuretech
4 Jul 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A lot of offensive activities were identified targeting Linux Kernel (CVE-2026-46242) https://t.co/EsMCWe721V
@vuldb
31 May 2026
59 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
There is a new vulnerability with elevated criticality in Linux Kernel (CVE-2026-46242) https://t.co/ZjftEUzzgM
@vuldb
30 May 2026
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-46242 Linux Kernel Eventpoll Use-After-Free via Concurrent File Descriptor Operations https://t.co/Md8jvYakK8
@VulmonFeeds
30 May 2026
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA466B5F-044E-47F0-A6CE-AB474F8A9361",
"versionEndExcluding": "5.16",
"versionStartIncluding": "5.15.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "67892698-2698-487E-B4D2-EFCD2D933D19",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1.175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51601BBF-BF40-48AF-8132-2582D7E56D71",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A13475D2-59BF-4716-94B5-7C1D239A2CF4",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]