Description
In the Linux kernel, the following vulnerability has been resolved:

eventpoll: defer struct eventpoll free to RCU grace period

In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
eventpoll struct while it still being used by another concurrent thread.
Defer the kfree() to an RCU callback to prevent UAF.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This bug occurs in the Linux kernel's eventpoll implementation. When a thread calls ep_free() to release an eventpoll object, the kernel code can free the underlying struct eventpoll even while another concurrent thread still holds a reference to it. This race condition results in a use‑after‑free scenario that could allow a malicious actor with sufficient privileges to manipulate memory after the kernel has released it, potentially leading to arbitrary code execution or kernel data corruption.

Affected Systems

The vulnerability affects the Linux kernel, as identified by the CNA vendor name Linux:Linux. The exact kernel releases impacted by this defect are not listed, and an explicit version range is currently unavailable.

Risk and Exploitability

The flaw is a privileged kernel use‑after‑free, a highly severe weakness. The CVSS score is not provided, and the EPSS score is unavailable, but a bug of this nature generally warrants high risk. Because the affected code operates at ring‑zero, exploitation requires a local or privileged context that can induce a race condition in eventpoll. While no exploit is publicly known, the vulnerability is serious enough that the CISA KEV catalog does not list it as of now, suggesting the risk is low to moderate but the potential impact is catastrophic if leveraged. The likely attack vector is local privilege escalation, where a privileged user or compromised application triggers the race condition via eventpoll or epoll interfaces.

Generated by OpenCVE AI on May 6, 2026 at 11:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the RCU defer fix to the eventpoll struct free operation.
  • If updating is not immediately possible, isolate vulnerable systems and restrict the use of eventpoll, epoll, or related interfaces from untrusted processes to mitigate the use‑after‑free exposure.
  • Implement kernel hardening options, such as enabling CONFIG_STATIC_RCU and kernel memory protection features (e.g., KASLR, canaries), to reduce the likelihood that a use‑after‑free can be turned into code execution.

Generated by OpenCVE AI on May 6, 2026 at 11:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: eventpoll: defer struct eventpoll free to RCU grace period In certain situations, ep_free() in eventpoll.c will kfree the epi->ep eventpoll struct while it still being used by another concurrent thread. Defer the kfree() to an RCU callback to prevent UAF.
Title eventpoll: defer struct eventpoll free to RCU grace period
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T07:21:58.210Z

Reserved: 2026-05-01T14:12:55.982Z

Link: CVE-2026-43074

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T10:16:20.343

Modified: 2026-05-06T10:16:20.343

Link: CVE-2026-43074

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T11:30:25Z

Weaknesses

No weakness.