CVE-2026-46242
Description
In the Linux kernel, the following vulnerability has been resolved:
eventpoll: fix ep_remove struct eventpoll / struct file UAF
ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().
For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed kmalloc-192 memory.
In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.
Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.
If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.
A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
79- osv-coords77 versionspkg:linux/kernelpkg:rpm/almalinux/kernelpkg:rpm/almalinux/kernel-64kpkg:rpm/almalinux/kernel-64k-corepkg:rpm/almalinux/kernel-64k-debugpkg:rpm/almalinux/kernel-64k-debug-corepkg:rpm/almalinux/kernel-64k-debug-develpkg:rpm/almalinux/kernel-64k-debug-devel-matchedpkg:rpm/almalinux/kernel-64k-debug-modulespkg:rpm/almalinux/kernel-64k-debug-modules-corepkg:rpm/almalinux/kernel-64k-debug-modules-extrapkg:rpm/almalinux/kernel-64k-develpkg:rpm/almalinux/kernel-64k-devel-matchedpkg:rpm/almalinux/kernel-64k-modulespkg:rpm/almalinux/kernel-64k-modules-corepkg:rpm/almalinux/kernel-64k-modules-extrapkg:rpm/almalinux/kernel-abi-stablelistspkg:rpm/almalinux/kernel-corepkg:rpm/almalinux/kernel-cross-headerspkg:rpm/almalinux/kernel-debugpkg:rpm/almalinux/kernel-debug-corepkg:rpm/almalinux/kernel-debug-develpkg:rpm/almalinux/kernel-debug-devel-matchedpkg:rpm/almalinux/kernel-debug-modulespkg:rpm/almalinux/kernel-debug-modules-corepkg:rpm/almalinux/kernel-debug-modules-extrapkg:rpm/almalinux/kernel-debug-uki-virtpkg:rpm/almalinux/kernel-develpkg:rpm/almalinux/kernel-devel-matchedpkg:rpm/almalinux/kernel-docpkg:rpm/almalinux/kernel-headerspkg:rpm/almalinux/kernel-modulespkg:rpm/almalinux/kernel-modules-corepkg:rpm/almalinux/kernel-modules-extrapkg:rpm/almalinux/kernel-modules-extra-matchedpkg:rpm/almalinux/kernel-rtpkg:rpm/almalinux/kernel-rt-64kpkg:rpm/almalinux/kernel-rt-64k-corepkg:rpm/almalinux/kernel-rt-64k-debugpkg:rpm/almalinux/kernel-rt-64k-debug-corepkg:rpm/almalinux/kernel-rt-64k-debug-develpkg:rpm/almalinux/kernel-rt-64k-debug-modulespkg:rpm/almalinux/kernel-rt-64k-debug-modules-corepkg:rpm/almalinux/kernel-rt-64k-debug-modules-extrapkg:rpm/almalinux/kernel-rt-64k-develpkg:rpm/almalinux/kernel-rt-64k-modulespkg:rpm/almalinux/kernel-rt-64k-modules-corepkg:rpm/almalinux/kernel-rt-64k-modules-extrapkg:rpm/almalinux/kernel-rt-corepkg:rpm/almalinux/kernel-rt-debugpkg:rpm/almalinux/kernel-rt-debug-corepkg:rpm/almalinux/kernel-rt-debug-develpkg:rpm/almalinux/kernel-rt-debug-modulespkg:rpm/almalinux/kernel-rt-debug-modules-corepkg:rpm/almalinux/kernel-rt-debug-modules-extrapkg:rpm/almalinux/kernel-rt-develpkg:rpm/almalinux/kernel-rt-modulespkg:rpm/almalinux/kernel-rt-modules-corepkg:rpm/almalinux/kernel-rt-modules-extrapkg:rpm/almalinux/kernel-toolspkg:rpm/almalinux/kernel-tools-libspkg:rpm/almalinux/kernel-tools-libs-develpkg:rpm/almalinux/kernel-uki-virtpkg:rpm/almalinux/kernel-uki-virt-addonspkg:rpm/almalinux/kernel-zfcpdumppkg:rpm/almalinux/kernel-zfcpdump-corepkg:rpm/almalinux/kernel-zfcpdump-develpkg:rpm/almalinux/kernel-zfcpdump-devel-matchedpkg:rpm/almalinux/kernel-zfcpdump-modulespkg:rpm/almalinux/kernel-zfcpdump-modules-corepkg:rpm/almalinux/kernel-zfcpdump-modules-extrapkg:rpm/almalinux/libperfpkg:rpm/almalinux/perfpkg:rpm/almalinux/python3-perfpkg:rpm/almalinux/rtlapkg:rpm/almalinux/rvpkg:rpm/opensuse/kernel-source&distro=openSUSE%20Tumbleweed
>= 6.4.0, < 6.6.144+ 76 more
- (no CPE)range: >= 6.4.0, < 6.6.144
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 6.12.0-211.31.1.el10_2
- (no CPE)range: < 7.0.11-1.1
Patches
Vulnerability mechanics
References
3News mentions
6- 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux DistrosThe Hacker News · Jul 8, 2026
- ⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and MoreThe Hacker News · Jul 6, 2026
- Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access VulnerabilitySecurityWeek · Jul 6, 2026
- 6th July – Threat Intelligence ReportCheck Point Research · Jul 6, 2026
- New “Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers and Android DevicesCyber Security News · Jul 4, 2026
- New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits AndroidThe Hacker News · Jul 3, 2026