Description
In the Linux kernel, the following vulnerability has been resolved:

eventpoll: defer struct eventpoll free to RCU grace period

In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
eventpoll struct while it still being used by another concurrent thread.
Defer the kfree() to an RCU callback to prevent UAF.
Published: 2026-05-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This bug occurs in the Linux kernel's eventpoll implementation. When a thread calls ep_free() to release an eventpoll object, the kernel code can free the underlying struct eventpoll even while another concurrent thread still holds a reference to it. This race condition results in a use‑after‑free scenario that could allow a malicious actor with sufficient privileges to manipulate memory after the kernel has released it, potentially leading to arbitrary code execution or kernel data corruption.

Affected Systems

The vulnerability affects the Linux kernel, as identified by the CNA vendor name Linux:Linux. The exact kernel releases impacted by this defect are not listed, and an explicit version range is currently unavailable.

Risk and Exploitability

The flaw is a privileged kernel use‑after‑free, a highly severe weakness. The CVSS score is 7.8 and the EPSS score is < 1%, but a bug of this nature generally warrants high risk. Because the affected code operates at ring‑zero, exploitation requires a local or privileged context that can induce a race condition in eventpoll. While no exploit is publicly known, the vulnerability is serious enough that the CISA KEV catalog does not list it as of now, suggesting the risk is low to moderate but the potential impact is catastrophic if leveraged. The likely attack vector is local privilege escalation, where a privileged user or compromised application triggers the race condition via eventpoll or epoll interfaces.

Generated by OpenCVE AI on May 21, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the RCU defer fix to the eventpoll struct free operation.
  • If updating is not immediately possible, isolate vulnerable systems and restrict the use of eventpoll, epoll, or related interfaces from untrusted processes to mitigate the use‑after‑free exposure.
  • Implement kernel hardening options, such as enabling CONFIG_STATIC_RCU and kernel memory protection features (e.g., KASLR, canaries), to reduce the likelihood that a use‑after‑free can be turned into code execution.

Generated by OpenCVE AI on May 21, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 01:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 06 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: eventpoll: defer struct eventpoll free to RCU grace period In certain situations, ep_free() in eventpoll.c will kfree the epi->ep eventpoll struct while it still being used by another concurrent thread. Defer the kfree() to an RCU callback to prevent UAF.
Title eventpoll: defer struct eventpoll free to RCU grace period
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:13.022Z

Reserved: 2026-05-01T14:12:55.982Z

Link: CVE-2026-43074

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:20.343

Modified: 2026-05-20T23:20:05.510

Link: CVE-2026-43074

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43074 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T00:30:43Z

Weaknesses