CVE-2026-53096
Received Received - Intake
Use-After-Free in Linux Kernel BPF

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path The DEVMAP_HASH branch in dev_map_redirect_multi() uses hlist_for_each_entry_safe() to iterate hash buckets, but this function runs under RCU protection (called from xdp_do_generic_redirect_map() in softirq context). Concurrent writers (__dev_map_hash_update_elem, dev_map_hash_delete_elem) modify the list using RCU primitives (hlist_add_head_rcu, hlist_del_rcu). hlist_for_each_entry_safe() performs plain pointer dereferences without rcu_dereference(), missing the acquire barrier needed to pair with writers' rcu_assign_pointer(). On weakly-ordered architectures (ARM64, POWER), a reader can observe a partially-constructed node. It also defeats CONFIG_PROVE_RCU lockdep validation and KCSAN data-race detection. Replace with hlist_for_each_entry_rcu() using rcu_read_lock_bh_held() as the lockdep condition, consistent with the rcu_dereference_check() used in the DEVMAP (non-hash) branch of the same functions. Also fix the same incorrect lockdep_is_held(&dtab->index_lock) condition in dev_map_enqueue_multi(), where the lock is not held either.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53096
EUVD
EUVD-2026-38964
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF subsystem, specifically in the dev_map_redirect_multi() function's SKB path. The issue arises because the DEVMAP_HASH branch uses hlist_for_each_entry_safe() to iterate over hash buckets, but this function does not use the proper RCU (Read-Copy-Update) dereference mechanisms required for safe concurrent access.

Concurrent writers modify the list using RCU primitives, but the iteration function performs plain pointer dereferences without the necessary acquire barrier. On weakly-ordered architectures like ARM64 and POWER, this can cause a reader to observe a partially-constructed node, leading to potential data races and incorrect behavior.

The fix replaces the unsafe iteration function with hlist_for_each_entry_rcu(), which uses proper RCU locking and dereferencing, ensuring safe concurrent access and preventing data races.

Impact Analysis

This vulnerability can lead to data races and inconsistent or partially-constructed data being observed by the kernel on certain architectures. This may cause kernel instability, crashes, or unpredictable behavior in networking functions that rely on the affected code path.

Since the issue affects the Linux kernel's BPF subsystem, which is often used for packet filtering and network traffic control, it could impact system reliability and security, potentially leading to denial of service or other unintended consequences.

Mitigation Strategies

This vulnerability has been resolved by updating the Linux kernel to use RCU-safe iteration in the dev_map_redirect_multi() SKB path.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix replacing hlist_for_each_entry_safe() with hlist_for_each_entry_rcu() and correcting the lockdep conditions as described.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53096. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart