CVE Catalog

CVE-2026-53089

Unknown
Published: Translated: NVD NIST

Summary

A vulnerability has been identified in the Linux kernel related to use-after-free in the context of offloaded BPF maps and programs. The issue occurs when querying info, as the network namespace reference count may reach zero, leading to a use-after-free error.

Risk Assessment

This vulnerability could lead to unpredictable system behavior, including crashes of applications using offloaded BPF maps and programs, potentially affecting the stability and security of the entire infrastructure.

Recommendation

It is recommended to update the Linux kernel to a version where this vulnerability has been fixed to avoid potential issues related to use-after-free.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in offloaded map/prog info fill When querying info for an offloaded BPF map or program, bpf_map_offload_info_fill_ns() and bpf_prog_offload_info_fill_ns() obtain the network namespace with get_net(dev_net(offmap->netdev)). However, the associated netdev's netns may be racing with teardown during netns destruction. If the netns refcount has already reached 0, get_net() performs a refcount_t increment on 0, triggering: refcount_t: addition on 0; use-after-free. Although rtnl_lock and bpf_devs_lock ensure the netdev pointer remains valid, they cannot prevent the netns refcount from reaching zero. Fix this by using maybe_get_net() instead of get_net(). maybe_get_net() uses refcount_inc_not_zero() and returns NULL if the refcount is already zero, which causes ns_get_path_cb() to fail and the caller to return -ENOENT -- the correct behavior when the netns is being destroyed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS