CVE-2026-23319

HIGH EPSS 2.6%
Published Mar 25, 20263mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Mar 25, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progs_hlist' in 'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in 'bpf_shim_tramp_link_release' is deferred. During this window, another process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'. Based on Martin KaFai Lau's suggestions, I have created a simple patch. To fix this: Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'. Only increment the refcount if it is not already zero. Testing: I verified the fix by adding a delay in 'bpf_shim_tramp_link_release' to make the bug easier to trigger: static void bpf_shim_tramp_link_release(struct bpf_link *link) { /* ... */ if (!shim_link->trampoline) return; + msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link, shim_link->trampoline, NULL)); bpf_trampoline_put(shim_link->trampoline); } Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥6.0.1  –  <6.1.167
linuxlinux_kernel*≥6.2  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.77
linuxlinux_kernel*≥6.13  –  <6.18.17
linuxlinux_kernel*≥6.19  –  <6.19.7
linuxlinux_kernel6.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4e8a0005d633a4adc98e3b65d5080f93b90d356b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/529e685e522b9d7fb379dbe6929dcdf520e34c8c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/56145d237385ca0e7ca9ff7b226aaf2eb8ef368b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9b02c5c4147f8af8ed783c8deb5df927a55c3951
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cfcfa0ca0212162aa472551266038e8fd6768cff
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4e8a0005d633a4adc98e3b65d5080f93b90d356b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/529e685e522b9d7fb379dbe6929dcdf520e34c8c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/56145d237385ca0e7ca9ff7b226aaf2eb8ef368b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9b02c5c4147f8af8ed783c8deb5df927a55c3951
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cfcfa0ca0212162aa472551266038e8fd6768cff
    Patch