CVE-2026-53085
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
A vulnerability was found in the Linux kernel's open-coded task_vma iterator in BPF. The iterator reads task->mm without locking and does not increment the mm_struct reference count, leading to a use-after-free when the task exits concurrently.
Risk Assessment
An attacker could exploit this vulnerability to access freed kernel memory, potentially leading to privilege escalation or information disclosure.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit addressing the issue). Avoid running BPF programs in contexts with interrupts disabled (IRQ, NMI).
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: bpf: fix mm lifecycle in open-coded task_vma iterator The open-coded task_vma iterator reads task->mm locklessly and acquires mmap_read_trylock() but never calls mmget(). If the task exits concurrently, the mm_struct can be freed as it is not SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free. Safely read task->mm with a trylock on alloc_lock and acquire an mm reference. Drop the reference via bpf_iter_mmput_async() in _destroy() and error paths. bpf_iter_mmput_async() is a local wrapper around mmput_async() with a fallback to mmput() on !CONFIG_MMU. Reject irqs-disabled contexts (including NMI) up front. Operations used by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async) take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from NMI or from a tracepoint that fires with those locks held could deadlock. A trylock on alloc_lock is used instead of the blocking task_lock() (get_task_mm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc_lock on the same CPU.

