{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23319", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.995Z", "datePublished": "2026-03-25T10:27:13.678Z", "dateUpdated": "2026-03-25T10:27:13.678Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:13.678Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim\n\nThe root cause of this bug is that when 'bpf_link_put' reduces the\nrefcount of 'shim_link->link.link' to zero, the resource is considered\nreleased but may still be referenced via 'tr->progs_hlist' in\n'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in\n'bpf_shim_tramp_link_release' is deferred. During this window, another\nprocess can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'.\n\nBased on Martin KaFai Lau's suggestions, I have created a simple patch.\n\nTo fix this:\n Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'.\n Only increment the refcount if it is not already zero.\n\nTesting:\n I verified the fix by adding a delay in\n 'bpf_shim_tramp_link_release' to make the bug easier to trigger:\n\nstatic void bpf_shim_tramp_link_release(struct bpf_link *link)\n{\n\t/* ... */\n\tif (!shim_link->trampoline)\n\t\treturn;\n\n+\tmsleep(100);\n\tWARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link,\n\t\tshim_link->trampoline, NULL));\n\tbpf_trampoline_put(shim_link->trampoline);\n}\n\nBefore the patch, running a PoC easily reproduced the crash(almost 100%)\nwith a call trace similar to KaiyanM's report.\nAfter the patch, the bug no longer occurs even after millions of\niterations."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/trampoline.c"], "versions": [{"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e", "lessThan": "529e685e522b9d7fb379dbe6929dcdf520e34c8c", "status": "affected", "versionType": "git"}, {"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e", "lessThan": "9b02c5c4147f8af8ed783c8deb5df927a55c3951", "status": "affected", "versionType": "git"}, {"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e", "lessThan": "cfcfa0ca0212162aa472551266038e8fd6768cff", "status": "affected", "versionType": "git"}, {"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e", "lessThan": "3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2", "status": "affected", "versionType": "git"}, {"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e", "lessThan": "4e8a0005d633a4adc98e3b65d5080f93b90d356b", "status": "affected", "versionType": "git"}, {"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e", "lessThan": "56145d237385ca0e7ca9ff7b226aaf2eb8ef368b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/trampoline.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/529e685e522b9d7fb379dbe6929dcdf520e34c8c"}, {"url": "https://git.kernel.org/stable/c/9b02c5c4147f8af8ed783c8deb5df927a55c3951"}, {"url": "https://git.kernel.org/stable/c/cfcfa0ca0212162aa472551266038e8fd6768cff"}, {"url": "https://git.kernel.org/stable/c/3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2"}, {"url": "https://git.kernel.org/stable/c/4e8a0005d633a4adc98e3b65d5080f93b90d356b"}, {"url": "https://git.kernel.org/stable/c/56145d237385ca0e7ca9ff7b226aaf2eb8ef368b"}], "title": "bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim\n\nThe root cause of this bug is that when 'bpf_link_put' reduces the\nrefcount of 'shim_link->link.link' to zero, the resource is considered\nreleased but may still be referenced via 'tr->progs_hlist' in\n'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in\n'bpf_shim_tramp_link_release' is deferred. During this window, another\nprocess can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'.\n\nBased on Martin KaFai Lau's suggestions, I have created a simple patch.\n\nTo fix this:\n Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'.\n Only increment the refcount if it is not already zero.\n\nTesting:\n I verified the fix by adding a delay in\n 'bpf_shim_tramp_link_release' to make the bug easier to trigger:\n\nstatic void bpf_shim_tramp_link_release(struct bpf_link *link)\n{\n\t/* ... */\n\tif (!shim_link->trampoline)\n\t\treturn;\n\n+\tmsleep(100);\n\tWARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link,\n\t\tshim_link->trampoline, NULL));\n\tbpf_trampoline_put(shim_link->trampoline);\n}\n\nBefore the patch, running a PoC easily reproduced the crash(almost 100%)\nwith a call trace similar to KaiyanM's report.\nAfter the patch, the bug no longer occurs even after millions of\niterations."}], "id": "CVE-2026-23319", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:28.570", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4e8a0005d633a4adc98e3b65d5080f93b90d356b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/529e685e522b9d7fb379dbe6929dcdf520e34c8c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/56145d237385ca0e7ca9ff7b226aaf2eb8ef368b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9b02c5c4147f8af8ed783c8deb5df927a55c3951"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cfcfa0ca0212162aa472551266038e8fd6768cff"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim", "id": "2451203", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451203"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's Berkeley Packet Filter (BPF) component. This use-after-free (UAF) vulnerability allows a local user to trigger a condition in the `bpf_trampoline_link_cgroup_shim` function where a resource is freed but still referenced. This can lead to a system crash, resulting in a denial of service, or potentially enable privilege escalation."], "name": "CVE-2026-23319", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23319\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23319\nhttps://lore.kernel.org/linux-cve-announce/2026032530-CVE-2026-23319-1e3d@gregkh/T"], "statement": "This flaw affects systems using BPF with cgroup trampolines. The race condition occurs between bpf_link_put() releasing a shim link and another process looking it up via cgroup_shim_find(). The deferred cleanup of tr->progs_hlist creates a window for use-after-free. Exploitation requires BPF privileges and concurrent operations on cgroup BPF programs.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T11:46:09.649361+00:00", "value": {"mitigation_remediation": ["Upgrade to a kernel version that includes the bpf_trampoline_link_cgroup_shim fix.", "If an update cannot be performed immediately, limit BPF program loading and cgroup shim usage to trusted users or disable these features where possible."], "summary": {"action": "Apply Patch", "impact": "Use-After-Free leading to Kernel Execution"}, "threat_synthesis": {"affected_systems": "All Linux kernels that contain the unpatched bpf_trampoline_link_cgroup_shim code are affected. Both upstream and downstream distributions that ship an older kernel version before the patch commit are vulnerable. No specific version numbers are listed in the CVE record, so any system that has not applied the described fix remains at risk.", "description_and_impact": "The bug is a use\u2011after\u2011free in the BPF cgroup shim support. When a BPF link is released, its reference count can drop to zero while another structure still holds a reference to it. During the short period before the trampoline link cleanup completes, a malicious or buggy caller can use the freed memory, triggering a NULL pointer dereference or arbitrary writes in kernel space. The vulnerability is confined to the kernel's BPF subsystem and can be triggered by loading or attaching BPF programs that rely on cgroup shims. An attacker able to exploit this can potentially run code with kernel privileges.", "risk_and_exploitability": "The risk is high because use\u2011after\u2011free inside the kernel can elevate privileges and compromise system stability. The exploit requires local privileges with the ability to load BPF programs; kernel exploitation techniques are well known, but the code path is somewhat specialized, so the exploitation difficulty is moderate. No EPSS score is available and the vulnerability is not yet listed in CISA's KEV catalog, but the potential impact warrants urgent attention."}}}}, "created": "2026-03-25T21:15:10.237218+00:00", "updated": "2026-03-25T21:15:10.237303+00:00", "vendors": [], "weaknesses": ["CWE-416"]}