CVE-2026-53085
Received Received - Intake
Use-After-Free in Linux Kernel BPF Task VMA Iterator

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: fix mm lifecycle in open-coded task_vma iterator The open-coded task_vma iterator reads task->mm locklessly and acquires mmap_read_trylock() but never calls mmget(). If the task exits concurrently, the mm_struct can be freed as it is not SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free. Safely read task->mm with a trylock on alloc_lock and acquire an mm reference. Drop the reference via bpf_iter_mmput_async() in _destroy() and error paths. bpf_iter_mmput_async() is a local wrapper around mmput_async() with a fallback to mmput() on !CONFIG_MMU. Reject irqs-disabled contexts (including NMI) up front. Operations used by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async) take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from NMI or from a tracepoint that fires with those locks held could deadlock. A trylock on alloc_lock is used instead of the blocking task_lock() (get_task_mm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc_lock on the same CPU.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53085
EUVD
EUVD-2026-38953
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF subsystem related to the open-coded task_vma iterator. The iterator reads the task's memory descriptor (task->mm) without proper locking and does not call mmget(), which is necessary to safely hold a reference to the memory structure.

If the task exits concurrently, the memory descriptor (mm_struct) can be freed while still being accessed, leading to a use-after-free condition. This can cause undefined behavior or kernel crashes.

The fix involves safely reading task->mm by acquiring a trylock on alloc_lock and obtaining a proper reference to the memory structure. The reference is then released asynchronously or synchronously depending on kernel configuration. Additionally, the fix rejects contexts where interrupts are disabled to avoid potential deadlocks.

Impact Analysis

This vulnerability can lead to a use-after-free scenario in the Linux kernel, which may cause system instability, crashes, or potential escalation of privileges if exploited.

Because it involves kernel memory management, exploitation could allow an attacker to execute arbitrary code at the kernel level or cause denial of service by crashing the system.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the mm lifecycle in the open-coded task_vma iterator. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

  • Apply the kernel update that contains the patch for the bpf task_vma iterator issue.
  • Avoid running untrusted BPF programs that iterate tasks, especially in contexts with IRQs disabled or NMIs, until the fix is applied.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53085. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart