Description
In the Linux kernel, the following vulnerability has been resolved:

eventfs: Hold eventfs_mutex and SRCU when remount walks events

Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the
events descriptor") had eventfs_set_attrs() recurse through ei->children
on remount. The walk only holds the rcu_read_lock() taken by
tracefs_apply_options() over tracefs_inodes, which is wrong:

- list_for_each_entry over ei->children races with the list_del_rcu()
in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as
d2603279c7d6.
- eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).
rcu_read_lock() does not extend an SRCU grace period, so ti->private
can be reclaimed under the walk.
- The writes to ei->attr race with eventfs_set_attr(), which holds
eventfs_mutex.

Reproducer:

while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &
while :; do
echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events
echo > /sys/kernel/tracing/kprobe_events
done

Wrap the events portion of tracefs_apply_options() in
eventfs_remount_lock()/_unlock() that take eventfs_mutex and
srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the
nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.

Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability pertains to the Linux kernel's eventfs subsystem. During a remount operation, eventfs walks through nodes while only holding an rcu_read_lock, which is insufficient for modifications performed elsewhere. This flaw introduces a race condition where list traversal can collide with list deletions, freeing of nodes, and attribute writes, potentially dereferencing poisoned list entries or using freed memory. The result is an unstable kernel that may crash or exhibit memory corruption.

Affected Systems

All installations of the Linux kernel that have not applied the commit that corrects eventfs_remount_lock behavior are affected. No specific versions are listed, so any current kernel not patched by the referenced commit is vulnerable. Sellers or users should verify their kernel versions against the latest stable releases that incorporate commit 340f0c7067a9.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of < 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV. Exploitation still requires local access to perform remount operations or write to kprobe_events. An attacker who can trigger the race could cause an out‑of-bounds read or use‑after‑free, which may lead to a kernel crash. Because the conditions are simple and the attack vector is local, the risk remains significant for systems that expose /sys/kernel/tracing to untrusted or low‑privileged processes.

Generated by OpenCVE AI on May 29, 2026 at 05:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that introduces eventfs_remount_lock, which protects against race conditions (CWE-367: Use of Lock Misconfiguration).
  • If a patch cannot be applied immediately, prohibit remount operations on /sys/kernel/tracing or set the tracing filesystem to read‑only mode to avoid race conditions associated with CWE-367.
  • Monitor system logs for tracefs or eventfs stack traces and isolate any hosts that experience kernel crashes, as the vulnerability may lead to memory corruption (CWE-367).

Generated by OpenCVE AI on May 29, 2026 at 05:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: eventfs: Hold eventfs_mutex and SRCU when remount walks events Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the events descriptor") had eventfs_set_attrs() recurse through ei->children on remount. The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong: - list_for_each_entry over ei->children races with the list_del_rcu() in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as d2603279c7d6. - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...). rcu_read_lock() does not extend an SRCU grace period, so ti->private can be reclaimed under the walk. - The writes to ei->attr race with eventfs_set_attr(), which holds eventfs_mutex. Reproducer: while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done & while :; do echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events echo > /sys/kernel/tracing/kprobe_events done Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract. Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.
Title eventfs: Hold eventfs_mutex and SRCU when remount walks events
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:54:53.367Z

Reserved: 2026-05-13T15:03:33.097Z

Link: CVE-2026-46106

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:25.950

Modified: 2026-06-17T10:53:04.577

Link: CVE-2026-46106

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46106 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T05:45:36Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition