HIGH
eventpoll Struct UAF
CVE-2026-43074
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: eventpoll: defer struct eventpoll free to RCU grace period In certain situations, ep_free() in eventpoll.c will kfree the epi->ep eventpoll struct while it still being used by another concurrent thread. Defer the kfree() to an RCU callback to prevent UAF.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges can trigger a use-after-free in the eventpoll subsystem, potentially leading to arbitrary code execution or system crashes. This affects systems where multiple threads use epoll file descriptors concurrently, which is common in high-performance network applications.
Vulnerability analysis
The vulnerability occurs in ep_free() where the eventpoll struct is freed with kfree() while concurrent threads may still access it through RCU-protected walks in ep_get_upwards_depth_proc(). The root cause is a race condition between eventpoll cleanup and concurrent access - the original refcounting optimization introduced in commit 58c9b016e128 created a window where the struct could be freed before all RCU readers finished. The fix defers the actual memory deallocation using kfree_rcu() instead of immediate kfree(), ensuring the struct remains valid until all RCU grace periods complete. This is locally exploitable by any process that can create epoll file descriptors and manipulate them from multiple threads.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.83 | a6d570843721 |
| 6.18 | 6.18.24 | a6566cd33f6f |
| 6.19 | 6.19.14 | 5b1173b16542 |
| 6.6 | 6.6.136 | 902120be4f44 |
| mainline | 7.0 | 7e8083f5eeed |