HIGH 7.8

CVE-2026-46259: Linux Kernel procfs Use-After-Free – Local Privilege Escalation

A vulnerability in the Linux kernel's proc filesystem allows a local attacker with standard user privileges to cause a use-after-free (UAF) condition when reading `/proc/[pid]/stat`. The issue stems from a race condition where the kernel accesses a task's parent process pointer without proper synchronization, creating a window where another CPU can free that pointer concurrently. An attacker can exploit this to read sensitive kernel memory or crash the system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: procfs: fix missing RCU protection when reading real_parent in do_task_stat() When reading /proc/[pid]/stat, do_task_stat() accesses task->real_parent without proper RCU protection, which leads to: cpu 0 cpu 1 ----- ----- do_task_stat var = task->real_parent release_task call_rcu(delayed_put_task_struct) task_tgid_nr_ns(var) rcu_read_lock <--- Too late to protect task->real_parent! task_pid_ptr <--- UAF! rcu_read_unlock This patch uses task_ppid_nr_ns() instead of task_tgid_nr_ns() to add proper RCU protection for accessing task->real_parent.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46259 is a use-after-free vulnerability in the Linux kernel's `do_task_stat()` function within procfs. When userspace reads `/proc/[pid]/stat`, the kernel retrieves `task->real_parent` without RCU (Read-Copy-Update) locking. A race condition occurs when: (1) CPU 0 reads the real_parent pointer unsafely, (2) CPU 1 concurrently calls `release_task()`, which schedules the parent task struct for deferred destruction via `call_rcu()`, and (3) CPU 0 later attempts to dereference the now-freed pointer within `task_tgid_nr_ns()`. The fix replaces the unsafe sequence with `task_ppid_nr_ns()`, which wraps the real_parent access in proper RCU read-side critical sections, ensuring the pointer remains valid during the operation.

Business impact

This vulnerability exposes Linux systems to local privilege escalation and denial of service. A non-root user can trigger a kernel crash by reading `/proc/[pid]/stat` at the precise moment when a parent process is being reaped, disrupting services and potentially enabling further attacks. Additionally, attackers may leak sensitive kernel memory addresses or data structures, undermining address-space layout randomization (ASLR) and facilitating subsequent exploits. For organizations running multi-tenant Linux systems or shared hosting platforms, this represents a significant containment failure between user domains.

Affected systems

This vulnerability affects the Linux kernel across all supported distributions. Any Linux system running an unpatched kernel with the vulnerable code path is at risk. The vulnerability is exploitable by any local user on the system; no special capabilities are required beyond standard user permissions. Containerized environments and virtual machines using Linux kernels remain vulnerable unless the host kernel is patched.

Exploitability

The vulnerability is highly exploitable. It requires only local access and standard user privileges (AC:L, PR:L, AV:L). The race condition is reliably triggered by repeatedly reading `/proc/[pid]/stat` while the target process is undergoing reparenting or termination. Proof-of-concept tooling can be trivially developed by any competent developer. However, reliable exploitation may require timing tuning specific to system load and CPU architecture, making large-scale automated exploitation somewhat less predictable than traditional buffer overflows.

Remediation

Apply the Linux kernel patch that replaces the unsafe real_parent access in `do_task_stat()` with the RCU-protected `task_ppid_nr_ns()` function. Verify the fix against your kernel version's official upstream repository or distribution advisory. Systems should prioritize patching given the local-privilege requirement and the straightforward nature of triggering the race. Until patching is feasible, restrict `/proc` access via AppArmor or SELinux policies if operational requirements permit.

Patch guidance

Check your Linux distribution's security advisory for kernel updates addressing CVE-2026-46259. The patch modifies only the procfs stat reporting code; verify the commit hash against the upstream Linux kernel repository before applying. Test patches in non-production environments first to ensure compatibility with custom kernel configurations or out-of-tree modules. Kernel updates typically require a reboot; schedule patching during a maintenance window.

Detection guidance

Monitor system logs for kernel UAF panics mentioning the procfs or `do_task_stat` code path. Deploy kernel-level intrusion detection rules to flag repeated suspicious reads of `/proc/[pid]/stat` by unprivileged users targeting processes scheduled for termination. Observe for unexpected `call_rcu` warnings or memory corruption messages in kernel logs. On systems with audit capabilities, log all `/proc/stat` accesses by non-privileged users and correlate spikes with process termination events. Behavioral anomalies (e.g., address-space information leaks or frequent kernel crashes) may indicate exploitation attempts.

Why prioritize this

HIGH severity (CVSS 7.8) due to the combination of local privilege escalation potential, denial of service capability, and information disclosure. The attack surface is universal—any system with a Linux kernel—and the barrier to exploitation is minimal. While the KEV has not been added to the CISA Known Exploited Vulnerabilities catalog, the simplicity of the race condition and the ubiquity of `/proc/stat` access make eventual weaponization likely. This should receive immediate attention in patch cycles.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects: (1) local attack vector (AV:L)—no network access required; (2) low attack complexity (AC:L)—triggering the race is straightforward; (3) low privileges required (PR:L)—any local user can attempt exploitation; (4) no user interaction; (5) high impact across confidentiality, integrity, and availability (C:H, I:H, A:H)—allowing memory disclosure, kernel state corruption, and denial of service. The score does not account for the prevalence of Linux in both enterprise and edge environments, which elevates practical risk.

Frequently asked questions

Can a remote attacker exploit this vulnerability?

No. The vulnerability requires local system access; it cannot be triggered over a network. An attacker must already have an account or shell on the target system.

Do I need to do anything if my system is air-gapped or containerized?

Yes. Containerized systems remain vulnerable if the underlying host kernel is unpatched. Air-gapped systems are not immune; local users within the network can still exploit the flaw. Patch all kernels regardless of network isolation.

What is the difference between real_parent and the PPID shown in /proc/[pid]/stat?

The `real_parent` pointer references the actual parent task struct in kernel memory. The PPID (parent process ID) is derived from this pointer. The vulnerability occurs during the unsafe reading of the real_parent pointer itself, before the PPID can be safely extracted.

Will a user-space tool or library update fix this?

No. This is a kernel-level vulnerability. Only patching the Linux kernel will resolve it. User-space patches or workarounds cannot prevent the race condition from occurring in kernel code.

This analysis is provided for informational purposes and is based on the vulnerability description and CVSS vector provided. Actual impact and exploitability may vary based on kernel version, distribution patches, system configuration, and runtime conditions. SEC.co recommends validating all patch versions, compatibility, and testing in non-production environments before deployment. No exploit code or weaponized proof-of-concept has been provided or endorsed. Organizations should consult their Linux distribution's official security advisories and their kernel vendor for definitive patch availability and timelines. This document does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).