CVE-2026-45837
Received Received - Intake
Use-After-Free in Linux Kernel BPF Arena

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in arena_vm_close on fork arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free. Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback. Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path: check_prep_vma() - returns 0 early: new_len == old_len skips VM_DONTEXPAND check prep_move_vma() - vm_start == old_addr and vm_end == old_addr + old_len so may_split is never called move_vma() copy_vma_and_data() copy_vma() vm_area_dup() - copies vm_private_data (vml pointer) vm_ops->open() - bumps vml->mmap_count vm_ops->mremap() - returns -EINVAL, rollback unmaps new VMA The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-45837
EUVD
EUVD-2026-32163
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free issue in the Linux kernel's BPF subsystem related to memory management during process forking.

Specifically, when a process forks, the child process inherits a pointer (vml->vma) that still points to the parent's virtual memory area (VMA). If the parent process unmaps this memory, the child's pointer becomes stale or dangling.

If the child then calls bpf_arena_free_pages(), the system reads from this stale pointer, triggering a use-after-free condition.

The fix involves preventing the arena VMA from being inherited across fork using VM_DONTCOPY, preventing VMA splits via the may_split callback, and rejecting certain memory remap operations that could cause rollback issues.


How can this vulnerability impact me? :

This use-after-free vulnerability can lead to undefined behavior in the kernel, including potential memory corruption or system crashes.

Exploitation of this flaw could allow an attacker to execute arbitrary code with kernel privileges or cause denial of service by crashing the system.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by preventing the arena VMA from being inherited across fork with VM_DONTCOPY and preventing VMA splits via the may_split callback.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart