CVE-2026-45838
Analyzed Analyzed - Analysis Complete

BPF cgroup storage get_next_key() use-after-free

Vulnerability report for CVE-2026-45838, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-27

Last updated on: 2026-06-26

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroup_storage_get_next_key() list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace. Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-27
Last Modified
2026-06-26
Generated
2026-07-06
AI Q&A
2026-05-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.2 (inc) to 6.6.141 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.91 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.33 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.10 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 4.19 (inc) to 5.10.258 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF subsystem, specifically in the function cgroup_storage_get_next_key(). The issue arises because the function list_next_entry() never returns NULL; instead, when it reaches the last element of a list, it wraps around to the list head. Due to this behavior, a subsequent NULL check becomes ineffective (dead code), causing get_next_key() to never return the expected -ENOENT error when there are no more entries.

As a result, the function reads data from an invalid pointer that overlaps with internal map fields and copies this incorrect data to userspace. The fix replaces the faulty check with list_entry_is_head(), ensuring the function correctly detects the end of the list and returns -ENOENT when appropriate.

Impact Analysis

This vulnerability can lead to the exposure of incorrect or unintended data to userspace programs because the function reads from a bogus pointer instead of properly signaling the end of a list. This could cause userspace applications to receive corrupted or misleading information from the kernel's BPF subsystem.

Depending on the context in which this data is used, it might lead to application errors, unexpected behavior, or potential security risks if the corrupted data is trusted or used in security-sensitive operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45838. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart