CVE-2026-46106 - Vulnerability Details

- eventfs: Hold eventfs_mutex and SRCU when remount walks events

Description

In the Linux kernel, the following vulnerability has been resolved:

eventfs: Hold eventfs_mutex and SRCU when remount walks events

Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the
events descriptor") had eventfs_set_attrs() recurse through ei->children
on remount. The walk only holds the rcu_read_lock() taken by
tracefs_apply_options() over tracefs_inodes, which is wrong:

- list_for_each_entry over ei->children races with the list_del_rcu()
in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as
d2603279c7d6.
- eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).
rcu_read_lock() does not extend an SRCU grace period, so ti->private
can be reclaimed under the walk.
- The writes to ei->attr race with eventfs_set_attr(), which holds
eventfs_mutex.

Reproducer:

while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &
while :; do
echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events
echo > /sys/kernel/tracing/kprobe_events
done

Wrap the events portion of tracefs_apply_options() in
eventfs_remount_lock()/_unlock() that take eventfs_mutex and
srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the
nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.

Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.

Published: 2026-05-28

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`7ec535ed8724d18ae4e714d2277a5b89450659d2`	affected	< ae9cd0b46b1890040006a2fc5e905c5d6053fd02
`340f0c7067a95281ad13734f8225f49c6cf52067`	affected	< 44e64d8a432837308f4dda3ffe819f1ec092a0ba
`340f0c7067a95281ad13734f8225f49c6cf52067`	affected	< 52b109f1b875b912d4ab2c5fdd8c322d47119d9b
`340f0c7067a95281ad13734f8225f49c6cf52067`	affected	< ed2ad73bcb0a7a6cc934097d4853b6d5124c317e
`340f0c7067a95281ad13734f8225f49c6cf52067`	affected	< 07004a8c4b572171934390148ee48c4175c77eed
`99b86d85f7c73d676c50e8c35748f94dd41389da`	affected	—
`6.6.35`	affected	< 6.6.140
`6.9.6`	affected	< 6.10

Linux

affected

Version	Status	Constraints
`6.10`	affected	—
`0`	unaffected	< 6.10
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[7ec535ed8724d18ae4e714d2277a5b89450659d2,ae9cd0b46b1890040006a2fc5e905c5d6053fd02)`	affected	code_commit	—
`[340f0c7067a95281ad13734f8225f49c6cf52067,44e64d8a432837308f4dda3ffe819f1ec092a0ba)`	affected	code_commit	—
`[340f0c7067a95281ad13734f8225f49c6cf52067,52b109f1b875b912d4ab2c5fdd8c322d47119d9b)`	affected	code_commit	—
`[340f0c7067a95281ad13734f8225f49c6cf52067,ed2ad73bcb0a7a6cc934097d4853b6d5124c317e)`	affected	code_commit	—
`[340f0c7067a95281ad13734f8225f49c6cf52067,07004a8c4b572171934390148ee48c4175c77eed)`	affected	code_commit	—
`99b86d85f7c73d676c50e8c35748f94dd41389da`	affected	code_commit	—
`[6.6.35,6.6.140)`	affected	semver	—
`[6.9.6,6.10)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.10`	affected	semver	—
`[0,6.10)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.88,6.13.0)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,8.0.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00122.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/07004a8c4b572171934390148ee48c4175c77eed
https://git.kernel.org/stable/c/44e64d8a432837308f4dda3ffe819f1ec092a0ba
https://git.kernel.org/stable/c/52b109f1b875b912d4ab2c5fdd8c322d47119d9b
https://git.kernel.org/stable/c/ae9cd0b46b1890040006a2fc5e905c5d6053fd02
https://git.kernel.org/stable/c/ed2ad73bcb0a7a6cc934097d4853b6d5124c317e
https://lore.kernel.org/linux-cve-announce/2026052811-CVE-2026-46106-4967@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46106
https://www.cve.org/CVERecord?id=CVE-2026-46106

History

Fri, 29 May 2026 03:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362 CWE-416

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-367
References		https://lore.kernel.org/linux-cve-announce/2026052811-CVE-2026-46106-4967@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46106 https://www.cve.org/CVERecord?id=CVE-2026-46106
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Thu, 28 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: eventfs: Hold eventfs_mutex and SRCU when remount walks events Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the events descriptor") had eventfs_set_attrs() recurse through ei->children on remount. The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong: - list_for_each_entry over ei->children races with the list_del_rcu() in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as d2603279c7d6. - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...). rcu_read_lock() does not extend an SRCU grace period, so ti->private can be reclaimed under the walk. - The writes to ei->attr race with eventfs_set_attr(), which holds eventfs_mutex. Reproducer: while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done & while :; do echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events echo > /sys/kernel/tracing/kprobe_events done Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract. Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.
Title		eventfs: Hold eventfs_mutex and SRCU when remount walks events
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/07004a8c4b572171934390148ee48c4175c77eed https://git.kernel.org/stable/c/44e64d8a432837308f4dda3ffe819f1ec092a0ba https://git.kernel.org/stable/c/52b109f1b875b912d4ab2c5fdd8c322d47119d9b https://git.kernel.org/stable/c/ae9cd0b46b1890040006a2fc5e905c5d6053fd02 https://git.kernel.org/stable/c/ed2ad73bcb0a7a6cc934097d4853b6d5124c317e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:35:11.034Z

Updated: 2026-06-14T17:54:53.367Z

Reserved: 2026-05-13T15:03:33.097Z

Link: CVE-2026-46106

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:25.950

Modified: 2026-06-17T10:53:04.577

Link: CVE-2026-46106

Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46106 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T05:45:36Z

Weaknesses

CWE-367

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object