Описание
In the Linux kernel, the following vulnerability has been resolved: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al Check pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario. It's a gap in proc_reg_open() after commit 654b33ada4ab("proc: fix UAF in proc_get_inode()"). Followed by AI Viro's suggestion, fix it in same manner.
Отчет
A race in procfs could dereference a freed proc_ops->proc_lseek pointer when a /proc file is opened while its backing module is being removed, leading to a kernel UAF and potential crash. The fix mirrors existing read/ioctl handling: it precomputes capability flags on entry creation and checks those flags (not the function pointer) in proc_reg_open(), eliminating the rmmod-time gap. This is primarily a local DoS: an unprivileged user can open/seek a proc entry while an administrator unloads the module.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Out of support scope | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Fix deferred | ||
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2026:23329 | 04.06.2026 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2026:21556 | 28.05.2026 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2026:21556 | 28.05.2026 |
| Red Hat Enterprise Linux 9.4 Extended Update Support | kernel | Fixed | RHSA-2026:21209 | 27.05.2026 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.1 Medium
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al Check pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario. It's a gap in proc_reg_open() after commit 654b33ada4ab("proc: fix UAF in proc_get_inode()"). Followed by AI Viro's suggestion, fix it in same manner.
In the Linux kernel, the following vulnerability has been resolved: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al Check pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario. It's a gap in proc_reg_open() after commit 654b33ada4ab("proc: fix UAF in proc_get_inode()"). Followed by AI Viro's suggestion, fix it in same manner.
proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al
In the Linux kernel, the following vulnerability has been resolved: p ...
In the Linux kernel, the following vulnerability has been resolved: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al Check pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario. It's a gap in proc_reg_open() after commit 654b33ada4ab("proc: fix UAF in proc_get_inode()"). Followed by AI Viro's suggestion, fix it in same manner.
EPSS
5.1 Medium
CVSS3