CVE-2026-46242 Bad Epoll

First, local root exploits are dangerous, of course, but not that dangerous for PVE, because everything already runs as root. There is no priviledge escalation necessary from there.

CVE-2026-46242 is according to your link already fixed in 7.0.11 and I'm running on my pve test box here 7.0.12, so it is in fact already patched. The older kernel is the 6.17er series, which is affected by the bug but gets no updates anymore, only the 6.18er series and I don't know if the patches will be backported. What kernel version are you running at the moment?
 
I don't understand what you mean, it's a privilege escalation for containers as well afaik, and it's more critical than fragnesia and others as there's no workaround.
I see no update on proxmox 8 with latest version 6.8.12-32 , or if it's fixed then when was it fixed exactly? As there was no PSA.

This one is a mandatory reboot so i thought it would have its PSA and everything.
 
Last edited:
Kernel Changelog:
Code:
proxmox-kernel-6.8 (6.8.12-32) bookworm; urgency=medium

  * update submodule to Ubuntu-6.8.0-132.132 and refresh patches
    - sync upstream stable kernel changes 6.6.141
    - sync upstream stable kernel changes 6.12.91

 -- Proxmox Support Team <support@proxmox.com>  Tue, 23 Jun 2026 11:50:48 +0200
I would say definitely affected!
Proxmox 8 is EOL next month. It's really time to upgrade...
 
  • Like
Reactions: Johannes S
I don't understand what you mean, it's a privilege escalation for containers as well afaik, and it's more critical than fragnesia and others as there's no workaround.
Oh you're right, I haven't thought about this. Best to not use containers in order to mitigate this.


Proxmox 8 is EOL next month. It's really time to upgrade...
Yes, this is also important, especially if there will not be a kernel 6.18 in PVE 8. There is no branch in GIT for that. Hopefully the fix will be backported, but no activity in the branches for PVE8 kernels.
 
  • Like
Reactions: Johannes S
fixed 6.8 kernel is on pve-test (proxmox-kernel-6.8.12-33-pve), 6.17 will follow shortly. 7.0 was already fixed with 7.0.14
 
fixed kernels for 6.8 and 6.17 are now on pve-no-subscription