CVE-2026-52938
Received Received - Intake
NULL Pointer Dereference in Linux Kernel BPF Subsystem

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL pointer dereference in bpf_sk_storage_clone and diag paths bpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist. A concurrent RCU reader in bpf_sk_storage_clone() can observe the selem still on the list with smap already NULL, causing a NULL pointer dereference. general protection fault, probably for non-canonical address 0xdffffc000000000a: KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057] RIP: 0010:bpf_sk_storage_clone+0x1cd/0xaa0 net/core/bpf_sk_storage.c:174 Call Trace: <IRQ> sk_clone+0xfed/0x1980 net/core/sock.c:2591 inet_csk_clone_lock+0x30/0x760 net/ipv4/inet_connection_sock.c:1222 tcp_create_openreq_child+0x35/0x2680 net/ipv4/tcp_minisocks.c:571 tcp_v4_syn_recv_sock+0x123/0xf90 net/ipv4/tcp_ipv4.c:1729 tcp_check_req+0x8e1/0x2580 include/net/tcp.h:855 tcp_v4_rcv+0x1845/0x3b80 net/ipv4/tcp_ipv4.c:2347 Add a NULL check for smap in bpf_sk_storage_clone(). bpf_sk_storage_diag_put_all() has the same issue. Add a NULL check and pass the validated smap directly to diag_get(), which is refactored to take smap as a parameter instead of reading it internally. bpf_sk_storage_diag_put() uses diag->maps[i] which is always valid under its refcount, so diag->maps[i] is passed directly to diag_get().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52938
EUVD
EUVD-2026-38708
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux_kernel linux_kernel *
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically in the functions bpf_sk_storage_clone and related diagnostic paths.

The issue arises because the function bpf_selem_unlink_nofail() sets a pointer (smap) to NULL before removing an element (selem) from a storage list. Meanwhile, a concurrent reader using RCU (Read-Copy-Update) in bpf_sk_storage_clone() can still see the element on the list but with the smap pointer already set to NULL. This leads to a NULL pointer dereference when the code tries to access smap.

This NULL pointer dereference can cause a general protection fault or kernel crash. The fix involves adding NULL checks for smap in the affected functions to prevent dereferencing a NULL pointer.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel, leading to a general protection fault or kernel crash.

Such crashes can result in system instability, denial of service, or unexpected reboots, potentially disrupting services and applications running on affected systems.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52938. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart