Bug 2481870 (CVE-2026-45838)

Summary: CVE-2026-45838 kernel: bpf: fix end-of-list detection in cgroup_storage_get_next_key()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel. Specifically, within the Berkeley Packet Filter (BPF) component, an error in the `cgroup_storage_get_next_key()` function's end-of-list detection mechanism can cause the system to read from an invalid memory location. This incorrect handling may lead to internal map fields being copied to userspace, resulting in information disclosure.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-27 11:01:47 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bpf: fix end-of-list detection in cgroup_storage_get_next_key()

list_next_entry() never returns NULL -- when the current element is the
last entry it wraps to the list head via container_of(). The subsequent
NULL check is therefore dead code and get_next_key() never returns
-ENOENT for the last element, instead reading storage->key from a bogus
pointer that aliases internal map fields and copying the result to
userspace.

Replace it with list_entry_is_head() so the function correctly returns
-ENOENT when there are no more entries.
Comment 1 Keith Grant 2026-05-27 12:35:25 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052711-CVE-2026-45838-9c3b@gregkh/T