CVE-2026-45838
Awaiting Analysis Awaiting Analysis - Queue
BPF cgroup storage get_next_key() use-after-free

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroup_storage_get_next_key() list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace. Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45838
EUVD
EUVD-2026-32164
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF subsystem, specifically in the function cgroup_storage_get_next_key(). The issue arises because the function list_next_entry() never returns NULL; instead, when it reaches the last element of a list, it wraps around to the list head. Due to this behavior, a subsequent NULL check becomes ineffective (dead code), causing get_next_key() to never return the expected -ENOENT error when there are no more entries.

As a result, the function reads data from an invalid pointer that overlaps with internal map fields and copies this incorrect data to userspace. The fix replaces the faulty check with list_entry_is_head(), ensuring the function correctly detects the end of the list and returns -ENOENT when appropriate.

Impact Analysis

This vulnerability can lead to the exposure of incorrect or unintended data to userspace programs because the function reads from a bogus pointer instead of properly signaling the end of a list. This could cause userspace applications to receive corrupted or misleading information from the kernel's BPF subsystem.

Depending on the context in which this data is used, it might lead to application errors, unexpected behavior, or potential security risks if the corrupted data is trusted or used in security-sensitive operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45838. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart