Bug 2492324 (CVE-2026-53089) - CVE-2026-53089 kernel: bpf: Fix use-after-free in offloaded map/prog info fill
Summary: CVE-2026-53089 kernel: bpf: Fix use-after-free in offloaded map/prog info fill
Keywords:
Status: NEW
Alias: CVE-2026-53089
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 18:05 UTC by OSIDB Bzimport
Modified: 2026-06-26 18:09 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 18:05:48 UTC
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix use-after-free in offloaded map/prog info fill

When querying info for an offloaded BPF map or program,
bpf_map_offload_info_fill_ns() and bpf_prog_offload_info_fill_ns()
obtain the network namespace with get_net(dev_net(offmap->netdev)).
However, the associated netdev's netns may be racing with teardown
during netns destruction. If the netns refcount has already reached 0,
get_net() performs a refcount_t increment on 0, triggering:

  refcount_t: addition on 0; use-after-free.

Although rtnl_lock and bpf_devs_lock ensure the netdev pointer remains
valid, they cannot prevent the netns refcount from reaching zero.

Fix this by using maybe_get_net() instead of get_net(). maybe_get_net()
uses refcount_inc_not_zero() and returns NULL if the refcount is already
zero, which causes ns_get_path_cb() to fail and the caller to return
-ENOENT -- the correct behavior when the netns is being destroyed.


Note You need to log in before you can comment on or make changes to this bug.