CVE-2026-45838
BPF cgroup storage get_next_key() use-after-free
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's BPF subsystem, specifically in the function cgroup_storage_get_next_key(). The issue arises because the function list_next_entry() never returns NULL; instead, when it reaches the last element of a list, it wraps around to the list head. Due to this behavior, a subsequent NULL check becomes ineffective (dead code), causing get_next_key() to never return the expected -ENOENT error when there are no more entries.
As a result, the function reads data from an invalid pointer that overlaps with internal map fields and copies this incorrect data to userspace. The fix replaces the faulty check with list_entry_is_head(), ensuring the function correctly detects the end of the list and returns -ENOENT when appropriate.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of incorrect or unintended data to userspace programs because the function reads from a bogus pointer instead of properly signaling the end of a list. This could cause userspace applications to receive corrupted or misleading information from the kernel's BPF subsystem.
Depending on the context in which this data is used, it might lead to application errors, unexpected behavior, or potential security risks if the corrupted data is trusted or used in security-sensitive operations.