CVE-2026-23319 (GCVE-0-2026-23319)

Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-05-11 22:04
VLAI
Title
bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progs_hlist' in 'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in 'bpf_shim_tramp_link_release' is deferred. During this window, another process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'. Based on Martin KaFai Lau's suggestions, I have created a simple patch. To fix this: Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'. Only increment the refcount if it is not already zero. Testing: I verified the fix by adding a delay in 'bpf_shim_tramp_link_release' to make the bug easier to trigger: static void bpf_shim_tramp_link_release(struct bpf_link *link) { /* ... */ if (!shim_link->trampoline) return; + msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link, shim_link->trampoline, NULL)); bpf_trampoline_put(shim_link->trampoline); } Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e , < 529e685e522b9d7fb379dbe6929dcdf520e34c8c (git)
Affected: 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e , < 9b02c5c4147f8af8ed783c8deb5df927a55c3951 (git)
Affected: 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e , < cfcfa0ca0212162aa472551266038e8fd6768cff (git)
Affected: 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e , < 3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2 (git)
Affected: 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e , < 4e8a0005d633a4adc98e3b65d5080f93b90d356b (git)
Affected: 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e , < 56145d237385ca0e7ca9ff7b226aaf2eb8ef368b (git)
Create a notification for this product.
Linux Linux Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.1.167 , ≤ 6.1.* (semver)
Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.77 , ≤ 6.12.* (semver)
Unaffected: 6.18.17 , ≤ 6.18.* (semver)
Unaffected: 6.19.7 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/trampoline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "529e685e522b9d7fb379dbe6929dcdf520e34c8c",
              "status": "affected",
              "version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e",
              "versionType": "git"
            },
            {
              "lessThan": "9b02c5c4147f8af8ed783c8deb5df927a55c3951",
              "status": "affected",
              "version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e",
              "versionType": "git"
            },
            {
              "lessThan": "cfcfa0ca0212162aa472551266038e8fd6768cff",
              "status": "affected",
              "version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e",
              "versionType": "git"
            },
            {
              "lessThan": "3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2",
              "status": "affected",
              "version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e",
              "versionType": "git"
            },
            {
              "lessThan": "4e8a0005d633a4adc98e3b65d5080f93b90d356b",
              "status": "affected",
              "version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e",
              "versionType": "git"
            },
            {
              "lessThan": "56145d237385ca0e7ca9ff7b226aaf2eb8ef368b",
              "status": "affected",
              "version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/trampoline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.77",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.17",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim\n\nThe root cause of this bug is that when \u0027bpf_link_put\u0027 reduces the\nrefcount of \u0027shim_link-\u003elink.link\u0027 to zero, the resource is considered\nreleased but may still be referenced via \u0027tr-\u003eprogs_hlist\u0027 in\n\u0027cgroup_shim_find\u0027. The actual cleanup of \u0027tr-\u003eprogs_hlist\u0027 in\n\u0027bpf_shim_tramp_link_release\u0027 is deferred. During this window, another\nprocess can cause a use-after-free via \u0027bpf_trampoline_link_cgroup_shim\u0027.\n\nBased on Martin KaFai Lau\u0027s suggestions, I have created a simple patch.\n\nTo fix this:\n   Add an atomic non-zero check in \u0027bpf_trampoline_link_cgroup_shim\u0027.\n   Only increment the refcount if it is not already zero.\n\nTesting:\n   I verified the fix by adding a delay in\n   \u0027bpf_shim_tramp_link_release\u0027 to make the bug easier to trigger:\n\nstatic void bpf_shim_tramp_link_release(struct bpf_link *link)\n{\n\t/* ... */\n\tif (!shim_link-\u003etrampoline)\n\t\treturn;\n\n+\tmsleep(100);\n\tWARN_ON_ONCE(bpf_trampoline_unlink_prog(\u0026shim_link-\u003elink,\n\t\tshim_link-\u003etrampoline, NULL));\n\tbpf_trampoline_put(shim_link-\u003etrampoline);\n}\n\nBefore the patch, running a PoC easily reproduced the crash(almost 100%)\nwith a call trace similar to KaiyanM\u0027s report.\nAfter the patch, the bug no longer occurs even after millions of\niterations."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:04:35.115Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/529e685e522b9d7fb379dbe6929dcdf520e34c8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b02c5c4147f8af8ed783c8deb5df927a55c3951"
        },
        {
          "url": "https://git.kernel.org/stable/c/cfcfa0ca0212162aa472551266038e8fd6768cff"
        },
        {
          "url": "https://git.kernel.org/stable/c/3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e8a0005d633a4adc98e3b65d5080f93b90d356b"
        },
        {
          "url": "https://git.kernel.org/stable/c/56145d237385ca0e7ca9ff7b226aaf2eb8ef368b"
        }
      ],
      "title": "bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23319",
    "datePublished": "2026-03-25T10:27:13.678Z",
    "dateReserved": "2026-01-13T15:37:45.995Z",
    "dateUpdated": "2026-05-11T22:04:35.115Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-23319",
      "date": "2026-05-25",
      "epss": "0.00015",
      "percentile": "0.03632"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23319\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-03-25T11:16:28.570\",\"lastModified\":\"2026-04-23T21:05:38.103\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim\\n\\nThe root cause of this bug is that when \u0027bpf_link_put\u0027 reduces the\\nrefcount of \u0027shim_link-\u003elink.link\u0027 to zero, the resource is considered\\nreleased but may still be referenced via \u0027tr-\u003eprogs_hlist\u0027 in\\n\u0027cgroup_shim_find\u0027. The actual cleanup of \u0027tr-\u003eprogs_hlist\u0027 in\\n\u0027bpf_shim_tramp_link_release\u0027 is deferred. During this window, another\\nprocess can cause a use-after-free via \u0027bpf_trampoline_link_cgroup_shim\u0027.\\n\\nBased on Martin KaFai Lau\u0027s suggestions, I have created a simple patch.\\n\\nTo fix this:\\n   Add an atomic non-zero check in \u0027bpf_trampoline_link_cgroup_shim\u0027.\\n   Only increment the refcount if it is not already zero.\\n\\nTesting:\\n   I verified the fix by adding a delay in\\n   \u0027bpf_shim_tramp_link_release\u0027 to make the bug easier to trigger:\\n\\nstatic void bpf_shim_tramp_link_release(struct bpf_link *link)\\n{\\n\\t/* ... */\\n\\tif (!shim_link-\u003etrampoline)\\n\\t\\treturn;\\n\\n+\\tmsleep(100);\\n\\tWARN_ON_ONCE(bpf_trampoline_unlink_prog(\u0026shim_link-\u003elink,\\n\\t\\tshim_link-\u003etrampoline, NULL));\\n\\tbpf_trampoline_put(shim_link-\u003etrampoline);\\n}\\n\\nBefore the patch, running a PoC easily reproduced the crash(almost 100%)\\nwith a call trace similar to KaiyanM\u0027s report.\\nAfter the patch, the bug no longer occurs even after millions of\\niterations.\"},{\"lang\":\"es\",\"value\":\"En el n\u00facleo de Linux, se ha solucionado la siguiente vulnerabilidad: bpf: Correcci\u00f3n de un problema de UAF en bpf_trampoline_link_cgroup_shim. La causa principal de este error es que, cuando \u00abbpf_link_put\u00bb reduce a cero el contador de referencias de \u00abshim_link-\u0026gt;link.link\u00bb, el recurso se considera liberado, pero a\u00fan puede ser referenciado a trav\u00e9s de \u00abtr-\u0026gt;progs_hlist\u00bb en \u00abcgroup_shim_find\u00bb. La limpieza real de \u00abtr-\u0026gt;progs_hlist\u00bb en \u00abbpf_shim_tramp_link_release\u00bb se aplaza. Durante este intervalo, otro proceso puede provocar un uso despu\u00e9s de la liberaci\u00f3n a trav\u00e9s de \u00abbpf_trampoline_link_cgroup_shim\u00bb. Bas\u00e1ndome en las sugerencias de Martin KaFai Lau, he creado un parche sencillo. Para solucionar esto: a\u00f1adir una comprobaci\u00f3n at\u00f3mica de que no sea cero en \u00abbpf_trampoline_link_cgroup_shim\u00bb. Solo incrementar el contador de referencias si a\u00fan no es cero. Pruebas: He verificado la correcci\u00f3n a\u00f1adiendo un retraso en \u00abbpf_shim_tramp_link_release\u00bb para que el error sea m\u00e1s f\u00e1cil de provocar: static void bpf_shim_tramp_link_release(struct bpf_link *link) { /* ... */ if (!shim_link-\u0026gt;trampoline) return; + msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(\u0026amp;shim_link-\u0026gt;link, shim_link-\u0026gt;trampoline, NULL)); bpf_trampoline_put(shim_link-\u0026gt;trampoline); } Antes del parche, al ejecutar un PoC se reproduc\u00eda f\u00e1cilmente el bloqueo (casi al 100 %) con un seguimiento de llamadas similar al del informe de KaiyanM. Tras el parche, el error ya no se produce ni siquiera tras millones de iteraciones.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.1\",\"versionEndExcluding\":\"6.1.167\",\"matchCriteriaId\":\"72B24488-A57B-4D9C-A7EA-A6020518455B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.130\",\"matchCriteriaId\":\"C57BB918-DF28-46B3-94F7-144176841267\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.77\",\"matchCriteriaId\":\"B3D12E00-E42D-4056-B354-BAD4903C03A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.17\",\"matchCriteriaId\":\"A5E006E4-59C7-43C1-9231-62A72219F2BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.7\",\"matchCriteriaId\":\"69245D10-0B71-485E-80C3-A64F077004D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"7BE551E5-89CF-47A8-9B26-03CE727FBA37\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F666C8D8-6538-46D4-B318-87610DE64C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"02259FDA-961B-47BC-AE7F-93D7EC6E90C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D2315C0-D46F-4F85-9754-F9E5E11374A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"512EE3A8-A590-4501-9A94-5D4B268D6138\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4e8a0005d633a4adc98e3b65d5080f93b90d356b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/529e685e522b9d7fb379dbe6929dcdf520e34c8c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/56145d237385ca0e7ca9ff7b226aaf2eb8ef368b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9b02c5c4147f8af8ed783c8deb5df927a55c3951\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cfcfa0ca0212162aa472551266038e8fd6768cff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.