CVE-2026-45838 - Vulnerability Details

- bpf: fix end-of-list detection in cgroup_storage_get_next_key()

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: fix end-of-list detection in cgroup_storage_get_next_key()

list_next_entry() never returns NULL -- when the current element is the
last entry it wraps to the list head via container_of(). The subsequent
NULL check is therefore dead code and get_next_key() never returns
-ENOENT for the last element, instead reading storage->key from a bogus
pointer that aliases internal map fields and copying the result to
userspace.

Replace it with list_entry_is_head() so the function correctly returns
-ENOENT when there are no more entries.

Published: 2026-05-27

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is in the Linux kernel’s BPF subsystem, where the cgroup_storage_get_next_key() routine misidentified the end of a linked list and dereferenced a bogus pointer that overlapped internal map fields. The resulting out‑of‑bounds read copies kernel data into user space, exposing sensitive information but not allowing arbitrary code execution.

Affected Systems

All Linux kernels that have not incorporated the commit that replaces list_next_entry() with list_entry_is_head() in the BPF cgroup storage code. Administrators should verify that the running kernel contains the patch that fixed end‑of‑list detection, as any earlier device is vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while an EPSS score of less than 1% shows a low but nonzero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. An attacker who can invoke the BPF interface to query cgroup keys would trigger the misdetection and read kernel memory; the required privileges depend on the system’s BPF key query permissions, but the attack vector is limited to interaction with the BPF subsystem.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< 0f3d9dd5e1fd52b39e25328307c6a694e994ffe3
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< 26d3339e465e54107bd85884341d1609c5300d6a
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< 2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< b4b5a20bed82130da2f2818f04d52378952fbd0b
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< 85a2f30e40f7468db732f55659bc6318874f49af
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< 32ce55d424395904986f5066f8755f6cb9993377
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< fc39753b7f92e09177777e9c648afe5aa3abb81f
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< 5828b9e5b272ecff7cf5d345128d3de7324117f7

Linux

affected

Version	Status	Constraints
`4.19`	affected	—
`0`	unaffected	< 4.19
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[de9cbbaadba5adf88a19e46df61f7054000838f6,b4b5a20bed82130da2f2818f04d52378952fbd0b)`	affected	code_commit	—
`[de9cbbaadba5adf88a19e46df61f7054000838f6,85a2f30e40f7468db732f55659bc6318874f49af)`	affected	code_commit	—
`[de9cbbaadba5adf88a19e46df61f7054000838f6,32ce55d424395904986f5066f8755f6cb9993377)`	affected	code_commit	—
`[de9cbbaadba5adf88a19e46df61f7054000838f6,fc39753b7f92e09177777e9c648afe5aa3abb81f)`	affected	code_commit	—
`[de9cbbaadba5adf88a19e46df61f7054000838f6,5828b9e5b272ecff7cf5d345128d3de7324117f7)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.19`	affected	semver	—
`[0,4.19)`	unaffected	semver	—
`[6.6.141,6.7.0)`	unaffected	semver	—
`[6.12.91,6.13.0)`	unaffected	semver	—
`[6.18.33,6.19.0)`	unaffected	semver	—
`[7.0.10,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a version that includes the BPF cgroup storage fix, ensuring the commit that replaces list_next_entry() with list_entry_is_head() is present.
If a kernel update is not yet possible, restrict or disable user access to BPF key queries that touch cgroup storage, such as by tightening security policies or using seccomp to limit relevant system calls.
Monitor BPF subsystem activity for abnormal key‑query patterns and review logs for related errors to detect attempts to exploit the flaw.

Generated by OpenCVE AI on May 28, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00164.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0f3d9dd5e1fd52b39e25328307c6a694e994ffe3
https://git.kernel.org/stable/c/26d3339e465e54107bd85884341d1609c5300d6a
https://git.kernel.org/stable/c/2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6
https://git.kernel.org/stable/c/32ce55d424395904986f5066f8755f6cb9993377
https://git.kernel.org/stable/c/5828b9e5b272ecff7cf5d345128d3de7324117f7
https://git.kernel.org/stable/c/85a2f30e40f7468db732f55659bc6318874f49af
https://git.kernel.org/stable/c/b4b5a20bed82130da2f2818f04d52378952fbd0b
https://git.kernel.org/stable/c/fc39753b7f92e09177777e9c648afe5aa3abb81f
https://lore.kernel.org/linux-cve-announce/2026052711-CVE-2026-45838-9c3b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45838
https://www.cve.org/CVERecord?id=CVE-2026-45838

History

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/0f3d9dd5e1fd52b39e25328307c6a694e994ffe3 https://git.kernel.org/stable/c/26d3339e465e54107bd85884341d1609c5300d6a https://git.kernel.org/stable/c/2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6

Thu, 28 May 2026 05:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-200

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125
References		https://lore.kernel.org/linux-cve-announce/2026052711-CVE-2026-45838-9c3b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45838 https://www.cve.org/CVERecord?id=CVE-2026-45838
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 27 May 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-200

Wed, 27 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroup_storage_get_next_key() list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace. Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.
Title		bpf: fix end-of-list detection in cgroup_storage_get_next_key()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/32ce55d424395904986f5066f8755f6cb9993377 https://git.kernel.org/stable/c/5828b9e5b272ecff7cf5d345128d3de7324117f7 https://git.kernel.org/stable/c/85a2f30e40f7468db732f55659bc6318874f49af https://git.kernel.org/stable/c/b4b5a20bed82130da2f2818f04d52378952fbd0b https://git.kernel.org/stable/c/fc39753b7f92e09177777e9c648afe5aa3abb81f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T09:24:36.561Z

Updated: 2026-06-14T17:46:05.613Z

Reserved: 2026-05-13T15:03:33.077Z

Link: CVE-2026-45838

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T11:16:23.130

Modified: 2026-06-01T17:17:11.967

Link: CVE-2026-45838

Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45838 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T06:30:10Z

Weaknesses

CWE-125
Out-of-bounds Read

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object