CVE-2026-52938
Analyzed Analyzed - Analysis Complete

NULL Pointer Dereference in Linux Kernel BPF Subsystem

Vulnerability report for CVE-2026-52938, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL pointer dereference in bpf_sk_storage_clone and diag paths bpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist. A concurrent RCU reader in bpf_sk_storage_clone() can observe the selem still on the list with smap already NULL, causing a NULL pointer dereference. general protection fault, probably for non-canonical address 0xdffffc000000000a: KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057] RIP: 0010:bpf_sk_storage_clone+0x1cd/0xaa0 net/core/bpf_sk_storage.c:174 Call Trace: <IRQ> sk_clone+0xfed/0x1980 net/core/sock.c:2591 inet_csk_clone_lock+0x30/0x760 net/ipv4/inet_connection_sock.c:1222 tcp_create_openreq_child+0x35/0x2680 net/ipv4/tcp_minisocks.c:571 tcp_v4_syn_recv_sock+0x123/0xf90 net/ipv4/tcp_ipv4.c:1729 tcp_check_req+0x8e1/0x2580 include/net/tcp.h:855 tcp_v4_rcv+0x1845/0x3b80 net/ipv4/tcp_ipv4.c:2347 Add a NULL check for smap in bpf_sk_storage_clone(). bpf_sk_storage_diag_put_all() has the same issue. Add a NULL check and pass the validated smap directly to diag_get(), which is refactored to take smap as a parameter instead of reading it internally. bpf_sk_storage_diag_put() uses diag->maps[i] which is always valid under its refcount, so diag->maps[i] is passed directly to diag_get().

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-08
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 7.0 (inc) to 7.0.14 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically in the functions bpf_sk_storage_clone and related diagnostic paths.

The issue arises because the function bpf_selem_unlink_nofail() sets a pointer (smap) to NULL before removing an element (selem) from a storage list. Meanwhile, a concurrent reader using RCU (Read-Copy-Update) in bpf_sk_storage_clone() can still see the element on the list but with the smap pointer already set to NULL. This leads to a NULL pointer dereference when the code tries to access smap.

This NULL pointer dereference can cause a general protection fault or kernel crash. The fix involves adding NULL checks for smap in the affected functions to prevent dereferencing a NULL pointer.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel, leading to a general protection fault or kernel crash.

Such crashes can result in system instability, denial of service, or unexpected reboots, potentially disrupting services and applications running on affected systems.

Mitigation Strategies

The vulnerability is resolved by adding NULL pointer checks in the Linux kernel functions bpf_sk_storage_clone and related diagnostic paths. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

  • Apply the latest Linux kernel patches that address the NULL pointer dereference in bpf_sk_storage_clone and related functions.
  • Avoid running untrusted BPF programs that could trigger this vulnerability until the kernel is updated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52938. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart