CVE Catalog

CVE-2026-53084

Unknown
Published: Translated: NVD NIST

Summary

A vulnerability in the Linux kernel related to the task_vma iterator has been resolved, which could lead to lock ordering issues. A VMA snapshot is now taken under the per-VMA lock, allowing the lock to be safely released before accessing the snapshot.

Risk Assessment

Organizations may face lock ordering problems, potentially leading to system crashes or unexpected behavior in applications using BPF.

Recommendation

It is recommended to update the Linux kernel to the latest version to mitigate this vulnerability and to monitor BPF-utilizing applications for stability.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: bpf: return VMA snapshot from task_vma iterator Holding the per-VMA lock across the BPF program body creates a lock ordering problem when helpers acquire locks that depend on mmap_lock: vm_lock -> i_rwsem -> mmap_lock -> vm_lock Snapshot the VMA under the per-VMA lock in _next() via memcpy(), then drop the lock before returning. The BPF program accesses only the snapshot. The verifier only trusts vm_mm and vm_file pointers (see BTF_TYPE_SAFE_TRUSTED_OR_NULL in verifier.c). vm_file is reference- counted with get_file() under the lock and released via fput() on the next iteration or in _destroy(). vm_mm is already correct because lock_vma_under_rcu() verifies vma->vm_mm == mm. All other pointers are left as-is by memcpy() since the verifier treats them as untrusted.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS