CVE-2026-23319
Received Received - Intake
Use-After-Free Vulnerability in Linux Kernel BPF Trampoline Component

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progs_hlist' in 'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in 'bpf_shim_tramp_link_release' is deferred. During this window, another process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'. Based on Martin KaFai Lau's suggestions, I have created a simple patch. To fix this: Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'. Only increment the refcount if it is not already zero. Testing: I verified the fix by adding a delay in 'bpf_shim_tramp_link_release' to make the bug easier to trigger: static void bpf_shim_tramp_link_release(struct bpf_link *link) { /* ... */ if (!shim_link->trampoline) return; + msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link, shim_link->trampoline, NULL)); bpf_trampoline_put(shim_link->trampoline); } Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23319
EUVD
EUVD-2026-15269
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.0
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 6.0.1 (inc) to 6.1.167 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free (UAF) issue in the Linux kernel's BPF subsystem, specifically in the function bpf_trampoline_link_cgroup_shim.

The root cause is that when the reference count of a resource (shim_link->link.link) is reduced to zero by bpf_link_put, the resource is considered released but may still be referenced through tr->progs_hlist in cgroup_shim_find. The actual cleanup of tr->progs_hlist is deferred in bpf_shim_tramp_link_release.

During this window between the resource being considered released and the actual cleanup, another process can trigger a use-after-free condition via bpf_trampoline_link_cgroup_shim.

The fix involves adding an atomic non-zero check in bpf_trampoline_link_cgroup_shim to only increment the reference count if it is not already zero, preventing the use-after-free.


How can this vulnerability impact me? :

A use-after-free vulnerability in the kernel can lead to system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges.

Since this vulnerability occurs in the Linux kernel's BPF subsystem, exploitation could affect any system running a vulnerable kernel, potentially causing denial of service or enabling further attacks.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by applying a patch that adds an atomic non-zero check in the function 'bpf_trampoline_link_cgroup_shim'. This ensures the reference count is only incremented if it is not already zero, preventing the use-after-free condition.

Therefore, the immediate step to mitigate this vulnerability is to update the Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart