Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-46106— eventfs: Hold eventfs_mutex and SRCU when remount walks events

AI Predicted 7.8 Difficulty: Moderate EPSS 0.02% · P5

Affected Version Matrix 15

VendorProductVersion RangeStatus
LinuxLinux7ec535ed8724d18ae4e714d2277a5b89450659d2< ae9cd0b46b1890040006a2fc5e905c5d6053fd02affected
340f0c7067a95281ad13734f8225f49c6cf52067< 44e64d8a432837308f4dda3ffe819f1ec092a0baaffected
340f0c7067a95281ad13734f8225f49c6cf52067< 52b109f1b875b912d4ab2c5fdd8c322d47119d9baffected
340f0c7067a95281ad13734f8225f49c6cf52067< ed2ad73bcb0a7a6cc934097d4853b6d5124c317eaffected
340f0c7067a95281ad13734f8225f49c6cf52067< 07004a8c4b572171934390148ee48c4175c77eedaffected
99b86d85f7c73d676c50e8c35748f94dd41389daaffected
6.6.35< 6.6.140affected
6.9.6< 6.10affected
… +7 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-46106

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
eventfs: Hold eventfs_mutex and SRCU when remount walks events
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: eventfs: Hold eventfs_mutex and SRCU when remount walks events Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the events descriptor") had eventfs_set_attrs() recurse through ei->children on remount. The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong: - list_for_each_entry over ei->children races with the list_del_rcu() in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as d2603279c7d6. - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...). rcu_read_lock() does not extend an SRCU grace period, so ti->private can be reclaimed under the walk. - The writes to ei->attr race with eventfs_set_attr(), which holds eventfs_mutex. Reproducer: while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done & while :; do echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events echo > /sys/kernel/tracing/kprobe_events done Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract. Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于eventfs在重新挂载遍历events时未正确持有eventfs_mutex和SRCU锁,可能导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 7ec535ed8724d18ae4e714d2277a5b89450659d2 ~ ae9cd0b46b1890040006a2fc5e905c5d6053fd02 -
LinuxLinux 6.10 -

II. Public POCs for CVE-2026-46106

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-46106

登录查看更多情报信息。

Patches & Fixes for CVE-2026-46106 (5)

Same Patch Batch · Linux · 2026-05-28 · 138 CVEs total

CVE-2026-461379.8 CRITICALmptcp: pm: ADD_ADDR rtx: fix potential data-race
CVE-2026-461959.8 CRITICALsmb: client: validate dacloffset before building DACL pointers
CVE-2026-461159.8 CRITICALblock: add pgmap check to biovec_phys_mergeable
CVE-2026-461359.8 CRITICALnvmet-tcp: fix race between ICReq handling and queue teardown
CVE-2026-461559.1 CRITICALsmb/client: fix out-of-bounds read in smb2_compound_op()
CVE-2026-461859.1 CRITICALsmb/client: fix out-of-bounds read in symlink_data()
CVE-2026-461199.1 CRITICALlibceph: Fix slab-out-of-bounds access in auth message processing
CVE-2026-461138.8 HIGHKVM: x86: Fix shadow paging use-after-free due to unexpected GFN
CVE-2026-461528.8 HIGHwifi: mac80211: drop stray 'static' from fast-RX rx_result
CVE-2026-462128.8 HIGHbatman-adv: bla: prevent use-after-free when deleting claims
CVE-2026-461258.8 HIGHwifi: mac80211: remove station if connection prep fails
CVE-2026-462388.8 HIGHbatman-adv: stop caching unowned originator pointers in BAT IV
CVE-2026-461668.8 HIGHwifi: mac80211: use safe list iteration in radar detect work
CVE-2026-461988.8 HIGHbatman-adv: fix integer overflow on buff_pos
CVE-2026-461748.8 HIGHx86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
CVE-2026-462328.1 HIGHHID: playstation: Clamp num_touch_reports
CVE-2026-461388.1 HIGHBluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
CVE-2026-461767.8 HIGHRDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
CVE-2026-461977.8 HIGHdrm/amdkfd: validate SVM ioctl nattr against buffer size
CVE-2026-461457.8 HIGHRDMA/mana: Validate rx_hash_key_len

Showing top 20 of 138 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-46106

No comments yet

Leave a comment