{ "threat_severity" : "Moderate", "public_date" : "2026-03-25T00:00:00Z", "bugzilla" : { "description" : "kernel: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim", "id" : "2451203", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451203" }, "cvss3" : { "cvss3_base_score" : "6.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim\nThe root cause of this bug is that when 'bpf_link_put' reduces the\nrefcount of 'shim_link->link.link' to zero, the resource is considered\nreleased but may still be referenced via 'tr->progs_hlist' in\n'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in\n'bpf_shim_tramp_link_release' is deferred. During this window, another\nprocess can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'.\nBased on Martin KaFai Lau's suggestions, I have created a simple patch.\nTo fix this:\nAdd an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'.\nOnly increment the refcount if it is not already zero.\nTesting:\nI verified the fix by adding a delay in\n'bpf_shim_tramp_link_release' to make the bug easier to trigger:\nstatic void bpf_shim_tramp_link_release(struct bpf_link *link)\n{\n/* ... */\nif (!shim_link->trampoline)\nreturn;\n+msleep(100);\nWARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link,\nshim_link->trampoline, NULL));\nbpf_trampoline_put(shim_link->trampoline);\n}\nBefore the patch, running a PoC easily reproduced the crash(almost 100%)\nwith a call trace similar to KaiyanM's report.\nAfter the patch, the bug no longer occurs even after millions of\niterations.", "A flaw was found in the Linux kernel's Berkeley Packet Filter (BPF) component. This use-after-free (UAF) vulnerability allows a local user to trigger a condition in the `bpf_trampoline_link_cgroup_shim` function where a resource is freed but still referenced. This can lead to a system crash, resulting in a denial of service, or potentially enable privilege escalation." ], "statement" : "This flaw affects systems using BPF with cgroup trampolines. The race condition occurs between bpf_link_put() releasing a shim link and another process looking it up via cgroup_shim_find(). The deferred cleanup of tr->progs_hlist creates a window for use-after-free. Exploitation requires BPF privileges and concurrent operations on cgroup BPF programs.\nActual only for ARM platform.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23319\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23319\nhttps://lore.kernel.org/linux-cve-announce/2026032530-CVE-2026-23319-1e3d@gregkh/T" ], "name" : "CVE-2026-23319", "csaw" : false }