CVE-2026-46259 - Vulnerability Details

- procfs: fix missing RCU protection when reading real_parent in do_task_stat()

Description

In the Linux kernel, the following vulnerability has been resolved:

procfs: fix missing RCU protection when reading real_parent in do_task_stat()

When reading /proc/[pid]/stat, do_task_stat() accesses task->real_parent
without proper RCU protection, which leads to:

cpu 0 cpu 1
----- -----
do_task_stat
var = task->real_parent
release_task
call_rcu(delayed_put_task_struct)
task_tgid_nr_ns(var)
rcu_read_lock <--- Too late to protect task->real_parent!
task_pid_ptr <--- UAF!
rcu_read_unlock

This patch uses task_ppid_nr_ns() instead of task_tgid_nr_ns() to add
proper RCU protection for accessing task->real_parent.

Published: 2026-06-03

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, a missing RCU protection guard around the real_parent field in do_task_stat() allows a use‑after‑free condition when /proc/[pid]/stat is read. The bug can cause the kernel to dereference freed task structures, potentially crashing the system or enabling an attacker to execute arbitrary code. The severity of the flaw is high, as it involves kernel memory corruption and could allow privilege escalation or denial of service when a local or privileged user triggers the race.

Affected Systems

All Linux kernel releases that have not yet incorporated the patch commits linked above are affected. The vulnerability originates from the core Linux kernel, so any vendor distribution based on those kernel versions is impacted until the fix is applied.

Risk and Exploitability

The CVSS score is 7.8, and the EPSS score is < 1%. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is a local or low‑privileged process that reads /proc/[pid]/stat, making the risk significant on systems where untrusted user input can target that file. Exploitation would require a race condition that is unlikely without intentional effort, but the potential impact justifies prompt action.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`06fffb1267c9d986687b69d74a46ee332a50575e`	affected	< fefa0fcd78be465b7ad4c497fa6ec90d64194c04
`06fffb1267c9d986687b69d74a46ee332a50575e`	affected	< c93a33f28f915d446eea6fb3f0e1def0b3af1982
`06fffb1267c9d986687b69d74a46ee332a50575e`	affected	< 1c8dc5b5517546c68ffae40b948336122bb61306
`06fffb1267c9d986687b69d74a46ee332a50575e`	affected	< 0e64bd46a04a4fd61279aca9f53a664e9e5f7e7e
`06fffb1267c9d986687b69d74a46ee332a50575e`	affected	< 73ec7c96601d61d52310c659145bb06d933a0fa6
`06fffb1267c9d986687b69d74a46ee332a50575e`	affected	< 4f9ae386861e280b7631ca252f798d25575627ee
`06fffb1267c9d986687b69d74a46ee332a50575e`	affected	< dd8b13cb4ff1a4545a214ed897fdf2bc341155b6
`06fffb1267c9d986687b69d74a46ee332a50575e`	affected	< 76149d53502cf17ef3ae454ff384551236fba867

Linux

affected

Version	Status	Constraints
`2.6.26`	affected	—
`0`	unaffected	< 2.6.26
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[06fffb1267c9d986687b69d74a46ee332a50575e,fefa0fcd78be465b7ad4c497fa6ec90d64194c04)`	affected	code_commit	—
`[06fffb1267c9d986687b69d74a46ee332a50575e,c93a33f28f915d446eea6fb3f0e1def0b3af1982)`	affected	code_commit	—
`[06fffb1267c9d986687b69d74a46ee332a50575e,1c8dc5b5517546c68ffae40b948336122bb61306)`	affected	code_commit	—
`[06fffb1267c9d986687b69d74a46ee332a50575e,0e64bd46a04a4fd61279aca9f53a664e9e5f7e7e)`	affected	code_commit	—
`[06fffb1267c9d986687b69d74a46ee332a50575e,73ec7c96601d61d52310c659145bb06d933a0fa6)`	affected	code_commit	—
`[06fffb1267c9d986687b69d74a46ee332a50575e,4f9ae386861e280b7631ca252f798d25575627ee)`	affected	code_commit	—
`[06fffb1267c9d986687b69d74a46ee332a50575e,dd8b13cb4ff1a4545a214ed897fdf2bc341155b6)`	affected	code_commit	—
`[06fffb1267c9d986687b69d74a46ee332a50575e,76149d53502cf17ef3ae454ff384551236fba867)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.26`	affected	semver	—
`[0,2.6.26)`	unaffected	semver	—
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an updated Linux kernel that includes the fix for the missing RCU protection in do_task_stat().
If a distribution update is not immediately available, backport the specific commit(s) from the kernel repository to your current kernel and rebuild.
Use SELinux, AppArmor, or other mandatory access control policies to limit read access to /proc/[pid]/stat to trusted users and services.

Generated by OpenCVE AI on June 9, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0012.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0e64bd46a04a4fd61279aca9f53a664e9e5f7e7e
https://git.kernel.org/stable/c/1c8dc5b5517546c68ffae40b948336122bb61306
https://git.kernel.org/stable/c/4f9ae386861e280b7631ca252f798d25575627ee
https://git.kernel.org/stable/c/73ec7c96601d61d52310c659145bb06d933a0fa6
https://git.kernel.org/stable/c/76149d53502cf17ef3ae454ff384551236fba867
https://git.kernel.org/stable/c/c93a33f28f915d446eea6fb3f0e1def0b3af1982
https://git.kernel.org/stable/c/dd8b13cb4ff1a4545a214ed897fdf2bc341155b6
https://git.kernel.org/stable/c/fefa0fcd78be465b7ad4c497fa6ec90d64194c04
https://lore.kernel.org/linux-cve-announce/2026060336-CVE-2026-46259-6c94@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46259
https://www.cve.org/CVERecord?id=CVE-2026-46259

History

Tue, 09 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Fri, 05 Jun 2026 06:45:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 04 Jun 2026 02:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362 CWE-416

Thu, 04 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-820
References		https://lore.kernel.org/linux-cve-announce/2026060336-CVE-2026-46259-6c94@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46259 https://www.cve.org/CVERecord?id=CVE-2026-46259
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Wed, 03 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-416

Wed, 03 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: procfs: fix missing RCU protection when reading real_parent in do_task_stat() When reading /proc/[pid]/stat, do_task_stat() accesses task->real_parent without proper RCU protection, which leads to: cpu 0 cpu 1 ----- ----- do_task_stat var = task->real_parent release_task call_rcu(delayed_put_task_struct) task_tgid_nr_ns(var) rcu_read_lock <--- Too late to protect task->real_parent! task_pid_ptr <--- UAF! rcu_read_unlock This patch uses task_ppid_nr_ns() instead of task_tgid_nr_ns() to add proper RCU protection for accessing task->real_parent.
Title		procfs: fix missing RCU protection when reading real_parent in do_task_stat()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0e64bd46a04a4fd61279aca9f53a664e9e5f7e7e https://git.kernel.org/stable/c/1c8dc5b5517546c68ffae40b948336122bb61306 https://git.kernel.org/stable/c/4f9ae386861e280b7631ca252f798d25575627ee https://git.kernel.org/stable/c/73ec7c96601d61d52310c659145bb06d933a0fa6 https://git.kernel.org/stable/c/76149d53502cf17ef3ae454ff384551236fba867 https://git.kernel.org/stable/c/c93a33f28f915d446eea6fb3f0e1def0b3af1982 https://git.kernel.org/stable/c/dd8b13cb4ff1a4545a214ed897fdf2bc341155b6 https://git.kernel.org/stable/c/fefa0fcd78be465b7ad4c497fa6ec90d64194c04

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-03T15:49:56.428Z

Updated: 2026-06-05T06:06:27.857Z

Reserved: 2026-05-13T15:03:33.108Z

Link: CVE-2026-46259

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-06-03T18:16:26.987

Modified: 2026-06-09T20:09:45.007

Link: CVE-2026-46259

Redhat

Severity : Important

Publid Date: 2026-06-03T00:00:00Z

Links: CVE-2026-46259 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-09T22:30:14Z

Weaknesses

CWE-820
Missing Synchronization
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object