CVE-2026-46274— Linux kernel 安全漏洞
Possible ATT&CK Techniques 1AI
T1203 · Exploitation for Client ExecutionAffected Version Matrix 14
| ベンダー | プロダクト | Version Range | ステータス |
|---|---|---|---|
| Linux | Linux | 204361a77f4018627addd4a06877448f088ddfc0< d6bda9df0c0a3080804181464d5c0f4d78a4e769 | affected |
204361a77f4018627addd4a06877448f088ddfc0< 5a20ebf0c81b61f5ea3b1b529c100cad69b9f603 | affected | ||
204361a77f4018627addd4a06877448f088ddfc0< 252c5051dba9c709b6a72f2866f93e5e618b3f06 | affected | ||
204361a77f4018627addd4a06877448f088ddfc0< d376c131af7c7739a87ff037ed2fdb67c2542c8a | affected | ||
204361a77f4018627addd4a06877448f088ddfc0< d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc | affected | ||
13f35a2c0fd5c6a4fcd8903542b053bcc914fcf5 | affected | ||
5.8.6< 5.9 | affected | ||
5.9 | affected | ||
| … +6 more rows | |||
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-46274の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
io-wq: check that the predecessor is hashed in io_wq_remove_pending()
ソース: NVD (National Vulnerability Database)
脆弱性説明
In the Linux kernel, the following vulnerability has been resolved: io-wq: check that the predecessor is hashed in io_wq_remove_pending() io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled work was the tail of its hash bucket. When doing this, it checks whether the preceding entry in acct->work_list has the same hash value, but never checks that the predecessor is hashed at all. io_get_work_hash() is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash bits are never set for non-hashed work, so it returns 0. Thus, when a hashed bucket-0 work is cancelled while a non-hashed work is its list predecessor, the check spuriously passes and a pointer to the non-hashed io_kiocb is stored in wq->hash_tail[0]. Because non-hashed work is dequeued via the fast path in io_get_next_work(), which never touches hash_tail[], the stale pointer is never cleared. Therefore, after the non-hashed io_kiocb completes and is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The io_wq is per-task (tctx->io_wq) and survives ring open/close, so the dangling pointer persists for the lifetime of the task; the next hashed bucket-0 enqueue dereferences it in io_wq_insert_work() and wq_list_add_after() writes through freed memory. Add the missing io_wq_is_hashed() check so a non-hashed predecessor never inherits a hash_tail[] slot.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
N/A
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
Linux kernel 安全漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于io-wq中io_wq_remove_pending函数未检查前驱是否已哈希,可能导致空指针取消引用。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
II. CVE-2026-46274の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2026-46274のインテリジェンス情報
请登录查看更多情报信息。
CVE-2026-46274 补丁与修复 (5)
Same Patch Batch · Linux · 2026-06-08 · 41 CVEs total
| CVE-2026-46289 | 9.8 CRITICAL | lib/scatterlist: fix length calculations in extract_kvec_to_sg |
| CVE-2026-46288 | 8.4 HIGH | of: unittest: fix use-after-free in of_unittest_changeset() |
| CVE-2026-46307 | 8.3 HIGH | wifi: ath5k: do not access array OOB |
| CVE-2026-46303 | 8.2 HIGH | isofs: validate Rock Ridge CE continuation extent against volume size |
| CVE-2026-46277 | 7.8 HIGH | mm/zone_device: do not touch device folio after calling ->folio_free() |
| CVE-2026-46311 | 7.8 HIGH | drm/amdgpu/userq: fix access to stale wptr mapping |
| CVE-2026-46275 | 7.8 HIGH | Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths |
| CVE-2026-46280 | 7.8 HIGH | lib: test_hmm: evict device pages on file close to avoid use-after-free |
| CVE-2026-46306 | 7.5 HIGH | flow_dissector: do not dissect PPPoE PFC frames |
| CVE-2026-46304 | 7.5 HIGH | nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free |
| CVE-2026-46299 | 7.0 HIGH | hfsplus: fix held lock freed on hfsplus_fill_super() |
| CVE-2025-71315 | drm/vkms: Convert to DRM's vblank timer | |
| CVE-2026-46276 | drm/amdgpu: fix zero-size GDS range init on RDNA4 | |
| CVE-2026-46287 | net: txgbe: fix RTNL assertion warning when remove module | |
| CVE-2026-46286 | leds: qcom-lpg: Check for array overflow when selecting the high resolution | |
| CVE-2026-46285 | mtd: docg3: fix use-after-free in docg3_release() | |
| CVE-2026-46284 | mm/hugetlb: fix early boot crash on parameters without '=' separator | |
| CVE-2026-46283 | tpm: Use kfree_sensitive() to free auth session in tpm_dev_release() | |
| CVE-2026-46282 | iio: frequency: admv1013: fix NULL pointer dereference on str | |
| CVE-2026-46281 | vmalloc: fix buffer overflow in vrealloc_node_align() |
Showing 20 of 41 CVEs. View all on vendor page →
IV. 関連脆弱性
同じ製品: Linux
- CVE-2026-52910
bpf: Free reuseport cBPF prog after RCU grace period. - CVE-2026-52909
ip6_vti: set netns_immutable on the fallback device. - CVE-2026-52908
RDMA: During rereg_mr ensure that REREG_ACCESS is compatible - CVE-2026-46331
net/sched: fix pedit partial COW leading to page cache corru - CVE-2026-52907
media: rockchip: rkcif: fix off by one bugs
同じベンダー: Linux
- CVE-2026-52910
bpf: Free reuseport cBPF prog after RCU grace period. - CVE-2026-52909
ip6_vti: set netns_immutable on the fallback device. - CVE-2026-52908
RDMA: During rereg_mr ensure that REREG_ACCESS is compatible - CVE-2026-46331
net/sched: fix pedit partial COW leading to page cache corru - CVE-2026-52907
media: rockchip: rkcif: fix off by one bugs
V. CVE-2026-46274へのコメント
まだコメントはありません