CVE-2026-23319

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a UAF issue in bpf trampoline link cgroup shim

The root cause of this bug is that when 'bpf link put' reduces the refcount of 'shim link->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progs hlist' in 'cgroup shim find'. The actual cleanup of 'tr->progs hlist' in 'bpf shim tramp link release' is deferred. During this window, another process can cause a use-after-free via 'bpf trampoline link cgroup shim'.

Based on Martin KaFai Lau's suggestions, I have created a simple patch.

To fix this: Add an atomic non-zero check in 'bpf trampoline link cgroup shim'. Only increment the refcount if it is not already zero.

Testing: I verified the fix by adding a delay in 'bpf shim tramp link release' to make the bug easier to trigger:

static void bpf shim tramp link release(struct bpf link link) { / ... */ if (!shim link->trampoline) return;

msleep(100); WARN ON ONCE(bpf trampoline unlink prog(&shim link->link, shim link->trampoline, NULL)); bpf trampoline put(shim link->trampoline); }

Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2026-23319

Affected Products

Linux

CVE-2026-23319

Related Identifiers

Affected Products

References · 8