What is CVE-2026-46106?

CVE-2026-46106 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.6.35 onward and patched in 6.6.140, 6.12.88, 6.18.30 and others. CVE-2026-46106 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-46106?

CVE-2026-46106 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-46106?

Yes, CVE-2026-46106 has been patched. Fixed versions include 6.6.140, 6.12.88, 6.18.30 and others. If you are running Linux kernel 6.6.35 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-46106 actively exploited?

CVE-2026-46106 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-46106

In the Linux kernel, the following vulnerability has been resolved: eventfs: Hold eventfs_mutex and SRCU when remount walks events Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the events descriptor") had eventfs_set_attrs() recurse through ei->children on remount. The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong: - list_for_each_entry over ei->children races with the list_del_rcu() in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as d2603279c7d6. - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...). rcu_read_lock() does not extend an SRCU grace period, so ti->private can be reclaimed under the walk. - The writes to ei->attr race with eventfs_set_attr(), which holds eventfs_mutex. Reproducer: while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done & while :; do echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events echo > /sys/kernel/tracing/kprobe_events done Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract. Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.

Package Linux Kernel

Published 2026-05-28

Last modified 2026-05-28

Patch available

Yes

Affected versions

Linux kernel versions 6.6.35, 6.9.6, 6.10 and later are affected. Fixed in 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc1 and their respective stable series.

Affected from

≥ 6.6.35 ≥ 6.9.6 ≥ 6.10

Fixed in

✓ 6.6.140 6.6.x ✓ 6.12.88 6.12.x ✓ 6.18.30 6.18.x ✓ 7.0.7 7.0.x ✓ 7.1-rc1

References

The following references provide additional information about CVE-2026-46106 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/07004a8c4b572171934390148ee48c4175c77eed
Patch
Kernel patch commit
https://git.kernel.org/stable/c/44e64d8a432837308f4dda3ffe819f1ec092a0ba
Patch
Kernel patch commit
https://git.kernel.org/stable/c/52b109f1b875b912d4ab2c5fdd8c322d47119d9b
Patch

5 patch commits total View all on NVD

Frequently asked questions

What is CVE-2026-46106?

CVE-2026-46106 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.6.35 onward and has been patched in 6.6.140, 6.12.88, 6.18.30 and others. CVE-2026-46106 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-46106?

Yes — CVE-2026-46106 has been patched. Fixed versions include 6.6.140, 6.12.88, 6.18.30 and others. If you are running Linux kernel 6.6.35 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-46106 actively exploited?

No — CVE-2026-46106 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.