CVE-2026-46259
Description
Linux kernel procfs vulnerability allows use-after-free when reading /proc/[pid]/stat, potentially leading to system instability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel procfs vulnerability allows use-after-free when reading /proc/[pid]/stat, potentially leading to system instability.
Vulnerability
The Linux kernel's procfs subsystem contains a use-after-free vulnerability in the do_task_stat() function when reading the /proc/[pid]/stat file. Specifically, the task->real_parent field is accessed without adequate RCU (Read-Copy Update) protection. This issue affects versions of the Linux kernel where this code path exists and has not been patched.
Exploitation
An attacker with the ability to trigger the do_task_stat() function, such as by reading /proc/[pid]/stat for a target process, can exploit this vulnerability. If a release_task() operation occurs concurrently with the do_task_stat() read, and the RCU protection is missing, a use-after-free condition can be triggered when task_tgid_nr_ns(var) is called after task->real_parent has been dereferenced.
Impact
Successful exploitation of this vulnerability can lead to a use-after-free condition, which may result in system instability, crashes, or potentially information disclosure or arbitrary code execution depending on the specific state of the kernel memory at the time of the UAF. The scope of the impact is tied to the kernel's execution context.
Mitigation
A patch has been released that replaces the use of task_tgid_nr_ns() with task_ppid_nr_ns() to ensure proper RCU protection when accessing task->real_parent. Users should update their Linux kernel to a version containing this fix. Information regarding specific fixed versions and release dates can be found in the kernel git repository [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1673ec7c96601dprocfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 5e4f7b411fbdb..363d9331216b9 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -531,7 +531,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, } sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
fefa0fcd78beprocfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 77b94c04e4aff..e97ad2bd7a9dc 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -492,7 +492,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, rsslim = READ_ONCE(sig->rlim[RLIMIT_RSS].rlim_cur); sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
c93a33f28f91procfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 2ff568dc58387..6f30b5a316678 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -510,7 +510,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, rsslim = READ_ONCE(sig->rlim[RLIMIT_RSS].rlim_cur); sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
1c8dc5b55175procfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 86fde69ec11a2..a3212f11a1b43 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -521,7 +521,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, } sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
0e64bd46a04aprocfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 5e4f7b411fbdb..363d9331216b9 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -531,7 +531,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, } sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
4f9ae386861eprocfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 2ae63189091e0..038d4b57127fe 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -529,7 +529,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, } sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
dd8b13cb4ff1procfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 42932f88141a9..5571177e0435d 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -528,7 +528,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, } sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
76149d53502cprocfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 39e9246f6e4af..f447e734612aa 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -529,7 +529,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, } sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
76149d53502cprocfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 39e9246f6e4af..f447e734612aa 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -529,7 +529,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, } sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
0e64bd46a04aprocfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 5e4f7b411fbdb..363d9331216b9 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -531,7 +531,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, } sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
1c8dc5b55175procfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 86fde69ec11a2..a3212f11a1b43 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -521,7 +521,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, } sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
4f9ae386861eprocfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 2ae63189091e0..038d4b57127fe 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -529,7 +529,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, } sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
73ec7c96601dprocfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 5e4f7b411fbdb..363d9331216b9 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -531,7 +531,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, } sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
c93a33f28f91procfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 2ff568dc58387..6f30b5a316678 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -510,7 +510,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, rsslim = READ_ONCE(sig->rlim[RLIMIT_RSS].rlim_cur); sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
dd8b13cb4ff1procfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 42932f88141a9..5571177e0435d 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -528,7 +528,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, } sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
fefa0fcd78beprocfs: fix missing RCU protection when reading real_parent in do_task_stat()
1 file changed · +1 −2
fs/proc/array.c+1 −2 modifieddiff --git a/fs/proc/array.c b/fs/proc/array.c index 77b94c04e4aff..e97ad2bd7a9dc 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -492,7 +492,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, rsslim = READ_ONCE(sig->rlim[RLIMIT_RSS].rlim_cur); sid = task_session_nr_ns(task, ns); - ppid = task_tgid_nr_ns(task->real_parent, ns); + ppid = task_ppid_nr_ns(task, ns); pgid = task_pgrp_nr_ns(task, ns); unlock_task_sighand(task, &flags); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The do_task_stat() function in the Linux kernel's procfs module accesses task->real_parent without proper RCU protection."
Attack vector
An attacker can trigger this vulnerability by reading the /proc/[pid]/stat file. If a process is released concurrently while this file is being read, a race condition occurs. This race condition can lead to a use-after-free vulnerability, potentially allowing for arbitrary code execution or denial of service.
Affected code
The vulnerability exists in the `do_task_stat()` function within the `fs/proc/array.c` file. Specifically, the line accessing `task->real_parent` without adequate RCU protection is the source of the flaw. The provided patches modify this specific line.
What the fix does
The patch modifies the do_task_stat() function in fs/proc/array.c. It replaces the call to task_tgid_nr_ns(task->real_parent, ns) with task_ppid_nr_ns(task, ns). This change ensures that task->real_parent is accessed with proper RCU protection, preventing the use-after-free condition that arises when a task is released concurrently.
Preconditions
- inputThe attacker must be able to read from /proc/[pid]/stat.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/0e64bd46a04a4fd61279aca9f53a664e9e5f7e7envd
- git.kernel.org/stable/c/1c8dc5b5517546c68ffae40b948336122bb61306nvd
- git.kernel.org/stable/c/4f9ae386861e280b7631ca252f798d25575627eenvd
- git.kernel.org/stable/c/73ec7c96601d61d52310c659145bb06d933a0fa6nvd
- git.kernel.org/stable/c/76149d53502cf17ef3ae454ff384551236fba867nvd
- git.kernel.org/stable/c/c93a33f28f915d446eea6fb3f0e1def0b3af1982nvd
- git.kernel.org/stable/c/dd8b13cb4ff1a4545a214ed897fdf2bc341155b6nvd
- git.kernel.org/stable/c/fefa0fcd78be465b7ad4c497fa6ec90d64194c04nvd
News mentions
1- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 3, 2026Vypr Intelligence · Jun 3, 2026