CVE-2026-45838
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
In the Linux kernel, a vulnerability was found in the cgroup_storage_get_next_key() function in the BPF mechanism. The list_next_entry() function never returns NULL, making the NULL check dead code, and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer aliasing internal map fields and copying the result to userspace.
Risk Assessment
An attacker with privileges to perform BPF operations may gain access to unauthorized data from kernel maps, potentially leading to information disclosure or system integrity compromise.
Recommendation
Immediately update the Linux kernel to a version containing the fix that replaces list_next_entry() with list_entry_is_head() to correctly detect the end of the list and return -ENOENT.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroup_storage_get_next_key() list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace. Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.

