CVE-2026-31526
Received Received - Intake
Resource Leak Vulnerability in Linux Kernel BPF Subprogram Exception Handling

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix exception exit lock checking for subprogs process_bpf_exit_full() passes check_lock = !curframe to check_resource_leak(), which is false in cases when bpf_throw() is called from a static subprog. This makes check_resource_leak() to skip validation of active_rcu_locks, active_preempt_locks, and active_irq_id on exception exits from subprogs. At runtime bpf_throw() unwinds the stack via ORC without releasing any user-acquired locks, which may cause various issues as the result. Fix by setting check_lock = true for exception exits regardless of curframe, since exceptions bypass all intermediate frame cleanup. Update the error message prefix to "bpf_throw" for exception exits to distinguish them from normal BPF_EXIT. Fix reject_subprog_with_rcu_read_lock test which was previously passing for the wrong reason. Test program returned directly from the subprog call without closing the RCU section, so the error was triggered by the unclosed RCU lock on normal exit, not by bpf_throw. Update __msg annotations for affected tests to match the new "bpf_throw" error prefix. The spin_lock case is not affected because they are already checked [1] at the call site in do_check_insn() before bpf_throw can run. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c?h=v7.0-rc4#n21098
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31526
EUVD
EUVD-2026-24917
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.7 (inc) to 6.18.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's BPF (Berkeley Packet Filter) subsystem. Specifically, it involves improper lock checking during exception exits from BPF subprograms (subprogs). When an exception occurs and bpf_throw() is called from a static subprog, the system skips validation of certain locks (active_rcu_locks, active_preempt_locks, and active_irq_id). This happens because the check_resource_leak() function receives an incorrect flag, causing it to bypass necessary lock checks. As a result, user-acquired locks may remain unreleased during stack unwinding, potentially leading to various issues.

The fix involves always setting the lock check flag to true during exception exits, ensuring that all locks are properly validated and released. Additionally, error messages were updated to distinguish exception exits from normal exits.


How can this vulnerability impact me? :

This vulnerability can cause user-acquired locks to remain unreleased when exceptions occur in BPF subprograms. Unreleased locks can lead to system instability, including potential deadlocks, resource leaks, or other unpredictable behavior in the kernel. This may degrade system performance or cause failures in applications relying on BPF programs.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by fixing the exception exit lock checking for subprograms in the BPF verifier. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

  • Apply the kernel patch that sets check_lock = true for exception exits regardless of curframe.
  • Update your system to the latest stable Linux kernel release that contains this fix.
  • Avoid running untrusted BPF programs until the fix is applied.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart