CVE-2026-53094
Received Received - Intake
Use-After-Free in Linux Kernel BPF Subsystem

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stale offload->prog pointer after constant blinding When a dev-bound-only BPF program (BPF_F_XDP_DEV_BOUND_ONLY) undergoes JIT compilation with constant blinding enabled (bpf_jit_harden >= 2), bpf_jit_blind_constants() clones the program. The original prog is then freed in bpf_jit_prog_release_other(), which updates aux->prog to point to the surviving clone, but fails to update offload->prog. This leaves offload->prog pointing to the freed original program. When the network namespace is subsequently destroyed, cleanup_net() triggers bpf_dev_bound_netdev_unregister(), which iterates ondev->progs and calls __bpf_prog_offload_destroy(offload->prog). Accessing the freed prog causes a page fault: BUG: unable to handle page fault for address: ffffc900085f1038 Workqueue: netns cleanup_net RIP: 0010:__bpf_prog_offload_destroy+0xc/0x80 Call Trace: __bpf_offload_dev_netdev_unregister+0x257/0x350 bpf_dev_bound_netdev_unregister+0x4a/0x90 unregister_netdevice_many_notify+0x2a2/0x660 ... cleanup_net+0x21a/0x320 The test sequence that triggers this reliably is: 1. Set net.core.bpf_jit_harden=2 (echo 2 > /proc/sys/net/core/bpf_jit_harden) 2. Run xdp_metadata selftest, which creates a dev-bound-only XDP program on a veth inside a netns (./test_progs -t xdp_metadata) 3. cleanup_net -> page fault in __bpf_prog_offload_destroy Dev-bound-only programs are unique in that they have an offload structure but go through the normal JIT path instead of bpf_prog_offload_compile(). This means they are subject to constant blinding's prog clone-and-replace, while also having offload->prog that must stay in sync. Fix this by updating offload->prog in bpf_jit_prog_release_other(), alongside the existing aux->prog update. Both are back-pointers to the prog that must be kept in sync when the prog is replaced.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53094
EUVD
EUVD-2026-38962
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The provided context does not include explicit mitigation steps or workarounds.

Executive Summary

This vulnerability occurs in the Linux kernel's BPF (Berkeley Packet Filter) subsystem when a dev-bound-only BPF program undergoes JIT compilation with constant blinding enabled. During this process, the original BPF program is cloned and the original is freed, but a pointer (offload->prog) is not updated to point to the new clone. This causes offload->prog to reference freed memory.

Later, when the network namespace is destroyed, the kernel attempts to access this freed memory through offload->prog, leading to a page fault and a kernel bug. The issue arises because the offload->prog pointer is stale and not synchronized with the cloned program pointer.

The fix involved updating offload->prog alongside the other program pointers to ensure they remain in sync after cloning and freeing the original program.

Impact Analysis

This vulnerability can cause a kernel page fault when the network namespace is destroyed, potentially leading to a kernel crash or instability.

Such a crash could disrupt network operations, cause denial of service on affected systems, and impact the reliability of services relying on the Linux kernel's networking stack.

Detection Guidance

This vulnerability can be detected by reproducing the test sequence that triggers the issue reliably, which involves setting the kernel parameter and running a specific selftest.

  • Set the kernel parameter net.core.bpf_jit_harden to 2 by running: echo 2 > /proc/sys/net/core/bpf_jit_harden
  • Run the xdp_metadata selftest which creates a dev-bound-only XDP program on a veth inside a network namespace: ./test_progs -t xdp_metadata

If the vulnerability is present, a page fault will occur during network namespace cleanup, visible in kernel logs as a BUG related to __bpf_prog_offload_destroy.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53094. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart