Description
In the Linux kernel, the following vulnerability has been resolved:

eventfs: Hold eventfs_mutex and SRCU when remount walks events

Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the
events descriptor") had eventfs_set_attrs() recurse through ei->children
on remount. The walk only holds the rcu_read_lock() taken by
tracefs_apply_options() over tracefs_inodes, which is wrong:

- list_for_each_entry over ei->children races with the list_del_rcu()
in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as
d2603279c7d6.
- eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).
rcu_read_lock() does not extend an SRCU grace period, so ti->private
can be reclaimed under the walk.
- The writes to ei->attr race with eventfs_set_attr(), which holds
eventfs_mutex.

Reproducer:

while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &
while :; do
echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events
echo > /sys/kernel/tracing/kprobe_events
done

Wrap the events portion of tracefs_apply_options() in
eventfs_remount_lock()/_unlock() that take eventfs_mutex and
srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the
nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.

Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.
Published: 2026-05-28
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability pertains to the Linux kernel's eventfs subsystem. During a remount operation, eventfs walks through nodes while only holding an rcu_read_lock, which is insufficient for modifications performed elsewhere. This flaw introduces a race condition where list traversal can collide with list deletions, freeing of nodes, and attribute writes, potentially dereferencing poisoned list entries or using freed memory. The result is an unstable kernel that may crash or exhibit memory corruption.

Affected Systems

All installations of the Linux kernel that have not applied the commit that corrects the eventfs_remount_lock behavior are affected. No specific versions are listed, so any current kernel not patched by the referenced commit is vulnerable. Sellers or users should verify their kernel versions against the latest stable releases that incorporate commit 340f0c7067a9.

Risk and Exploitability

The CVSS score is not provided, but the lack of an EPSS score and absence from the KEV list suggest that exploitation is not widely documented yet. Nevertheless, the vulnerability requires only local access to perform remount operations or write to the kprobe_events interface. An attacker who can exploit the race could trigger an out-of-bounds read or use-after-free, leading to a kernel crash. Because the conditions are simple and the attack vector is local, the risk is significant for systems that expose the /sys/kernel/tracing filesystem to untrusted or low-privileged processes.

Generated by OpenCVE AI on May 28, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains commit 340f0c7067a9 correcting eventfs locking behavior
  • If a kernel update is not immediately available, temporarily disable remount operations or unmount /sys/kernel/tracing until the patch is applied
  • Monitor system logs for tracefs or eventfs Oops messages and isolate affected systems if crashes occur

Generated by OpenCVE AI on May 28, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: eventfs: Hold eventfs_mutex and SRCU when remount walks events Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the events descriptor") had eventfs_set_attrs() recurse through ei->children on remount. The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong: - list_for_each_entry over ei->children races with the list_del_rcu() in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as d2603279c7d6. - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...). rcu_read_lock() does not extend an SRCU grace period, so ti->private can be reclaimed under the walk. - The writes to ei->attr race with eventfs_set_attr(), which holds eventfs_mutex. Reproducer: while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done & while :; do echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events echo > /sys/kernel/tracing/kprobe_events done Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract. Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.
Title eventfs: Hold eventfs_mutex and SRCU when remount walks events
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:11.034Z

Reserved: 2026-05-13T15:03:33.097Z

Link: CVE-2026-46106

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:25.950

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T12:30:16Z

Weaknesses