CVE-2026-45837
Analyzed Analyzed - Analysis Complete

Use-After-Free in Linux Kernel BPF Arena

Vulnerability report for CVE-2026-45837, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-27

Last updated on: 2026-06-26

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in arena_vm_close on fork arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free. Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback. Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path: check_prep_vma() - returns 0 early: new_len == old_len skips VM_DONTEXPAND check prep_move_vma() - vm_start == old_addr and vm_end == old_addr + old_len so may_split is never called move_vma() copy_vma_and_data() copy_vma() vm_area_dup() - copies vm_private_data (vml pointer) vm_ops->open() - bumps vml->mmap_count vm_ops->mremap() - returns -EINVAL, rollback unmaps new VMA The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-27
Last Modified
2026-06-26
Generated
2026-07-06
AI Q&A
2026-05-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.30 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.9 (inc) to 6.12.88 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's BPF subsystem related to memory management during process forking.

Specifically, when a process forks, the child process inherits a pointer (vml->vma) that still points to the parent's virtual memory area (VMA). If the parent process unmaps this memory, the child's pointer becomes stale or dangling.

If the child then calls bpf_arena_free_pages(), the system reads from this stale pointer, triggering a use-after-free condition.

The fix involves preventing the arena VMA from being inherited across fork using VM_DONTCOPY, preventing VMA splits via the may_split callback, and rejecting certain memory remap operations that could cause rollback issues.

Impact Analysis

This use-after-free vulnerability can lead to undefined behavior in the kernel, including potential memory corruption or system crashes.

Exploitation of this flaw could allow an attacker to execute arbitrary code with kernel privileges or cause denial of service by crashing the system.

Mitigation Strategies

The vulnerability has been resolved by preventing the arena VMA from being inherited across fork with VM_DONTCOPY and preventing VMA splits via the may_split callback.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45837. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart