CVE-2026-45837 - Vulnerability Details

- bpf: Fix use-after-free in arena_vm_close on fork

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix use-after-free in arena_vm_close on fork

arena_vm_open() only bumps vml->mmap_count but never registers the
child VMA in arena->vma_list. The vml->vma always points at the
parent VMA, so after parent munmap the pointer dangles. If the child
then calls bpf_arena_free_pages(), zap_pages() reads the stale
vml->vma triggering use-after-free.

Fix this by preventing the arena VMA from being inherited across
fork with VM_DONTCOPY, and preventing VMA splits via the may_split
callback.

Also reject mremap with a .mremap callback returning -EINVAL. A
same-size mremap(MREMAP_FIXED) on the full arena VMA reaches
copy_vma() through the following path:

check_prep_vma() - returns 0 early: new_len == old_len
skips VM_DONTEXPAND check
prep_move_vma() - vm_start == old_addr and
vm_end == old_addr + old_len
so may_split is never called
move_vma()
copy_vma_and_data()
copy_vma()
vm_area_dup() - copies vm_private_data (vml pointer)
vm_ops->open() - bumps vml->mmap_count
vm_ops->mremap() - returns -EINVAL, rollback unmaps new VMA

The refcount ensures the rollback's arena_vm_close does not free
the vml shared with the original VMA.

Published: 2026-05-27

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s BPF subsystem contains a use‑after‑free flaw in the arena_vm_close routine that is triggered after a fork when a child inherits a BPF arena virtual memory area. Because arena_vm_close dereferences a stale pointer pointing to a VMA that has been unmapped by the parent process, a subsequent call to bpf_arena_free_pages can access freed memory, leading to a kernel crash or local privilege escalation. The weakness originates from improper management of the arena VMA list and lacks defensive checks during VM operations.

Affected Systems

The vulnerability affects any Linux kernel build that contains the BPF arena code before the patch series introduced by commit 201128fcc7b213d27ab77bc4e89488b41796480f. All distributions based on the upstream kernel that have not yet upgraded to a version including that commit or later are at risk. Systems running custom kernels or those that compile and load BPF programs which allocate arenas during userland forks, such as network packet classifiers or sandboxed workloads, are particularly susceptible. Customers are encouraged to review their kernel version and whether it includes the VM_DONTCOPY and may_split fixes to determine if the fix has been applied.

Risk and Exploitability

The flaw is classified as a use‑after‑free and a memory corruption issue (\"CWE-825\"). It carries a CVSS score of 7.0 and an EPSS score of <1%, indicating a moderate severity but a low probability of exploitation. The attack vector is local; an attacker must be able to run or inject a BPF program that reserves an arena and then fork a process while the parent unmapped it. Once the condition is met, the kernel can be forced to crash or allow the attacker to exploit the dangling pointer to execute arbitrary code with kernel privileges. Although the exploitation path is non‑trivial and no public exploits are known, the potential impact of a successful attack is high, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been observed in widespread use.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`317460317a02a1af512697e6e964298dedd8a163`	affected	< 723b9fa930cc277c15ce6b9ec9feec828cfac9d7
`317460317a02a1af512697e6e964298dedd8a163`	affected	< d18099f19e53250f8ad2801498b88cec29d9107a
`317460317a02a1af512697e6e964298dedd8a163`	affected	< 201128fcc7b213d27ab77bc4e89488b41796480f
`317460317a02a1af512697e6e964298dedd8a163`	affected	< 4fddde2a732de60bb97e3307d4eb69ac5f1d2b74

Linux

affected

Version	Status	Constraints
`6.9`	affected	—
`0`	unaffected	< 6.9
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[317460317a02a1af512697e6e964298dedd8a163,723b9fa930cc277c15ce6b9ec9feec828cfac9d7)`	affected	code_commit	—
`[317460317a02a1af512697e6e964298dedd8a163,d18099f19e53250f8ad2801498b88cec29d9107a)`	affected	code_commit	—
`[317460317a02a1af512697e6e964298dedd8a163,201128fcc7b213d27ab77bc4e89488b41796480f)`	affected	code_commit	—
`[317460317a02a1af512697e6e964298dedd8a163,4fddde2a732de60bb97e3307d4eb69ac5f1d2b74)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.9`	affected	semver	—
`[0,6.9)`	unaffected	semver	—
`[6.12.88,7.0.0)`	unaffected	semver	—
`[6.18.30,7.0.0)`	unaffected	semver	—
`[7.0.7,8.0.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a release that contains the bpf arena use‑after‑free fix, which is included in the commit series starting with 201128fcc7b213d27ab77bc4e89488b41796480f.
If an immediate kernel upgrade is not possible, restrict or block the loading of BPF programs that allocate arenas from untrusted users or services; enforce this restriction with seccomp or BPF policy enforcement.
Disable BPF program loading for non‑essential services, or revert to a kernel configuration that does not enable the arena feature until the upstream fix is applied.

Generated by OpenCVE AI on May 28, 2026 at 03:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00156.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/201128fcc7b213d27ab77bc4e89488b41796480f
https://git.kernel.org/stable/c/4fddde2a732de60bb97e3307d4eb69ac5f1d2b74
https://git.kernel.org/stable/c/723b9fa930cc277c15ce6b9ec9feec828cfac9d7
https://git.kernel.org/stable/c/d18099f19e53250f8ad2801498b88cec29d9107a
https://lore.kernel.org/linux-cve-announce/2026052708-CVE-2026-45837-c50b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45837
https://www.cve.org/CVERecord?id=CVE-2026-45837

History

Thu, 28 May 2026 02:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026052708-CVE-2026-45837-c50b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45837 https://www.cve.org/CVERecord?id=CVE-2026-45837
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Wed, 27 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in arena_vm_close on fork arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free. Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback. Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path: check_prep_vma() - returns 0 early: new_len == old_len skips VM_DONTEXPAND check prep_move_vma() - vm_start == old_addr and vm_end == old_addr + old_len so may_split is never called move_vma() copy_vma_and_data() copy_vma() vm_area_dup() - copies vm_private_data (vml pointer) vm_ops->open() - bumps vml->mmap_count vm_ops->mremap() - returns -EINVAL, rollback unmaps new VMA The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.
Title		bpf: Fix use-after-free in arena_vm_close on fork
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/201128fcc7b213d27ab77bc4e89488b41796480f https://git.kernel.org/stable/c/4fddde2a732de60bb97e3307d4eb69ac5f1d2b74 https://git.kernel.org/stable/c/723b9fa930cc277c15ce6b9ec9feec828cfac9d7 https://git.kernel.org/stable/c/d18099f19e53250f8ad2801498b88cec29d9107a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T09:24:32.833Z

Updated: 2026-06-14T17:46:01.781Z

Reserved: 2026-05-13T15:03:33.077Z

Link: CVE-2026-45837

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T11:16:23.020

Modified: 2026-06-17T10:52:34.930

Link: CVE-2026-45837

Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45837 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T03:45:06Z

Weaknesses

CWE-825
Expired Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object