The vulnerability resides in the Linux kernel's BPF subsystem, specifically the cgroup_storage_get_next_key() routine. The code incorrectly detects the end of the key list, causing it to dereference a bogus pointer that overlaps internal map fields. The erroneous value is then copied across to user space, effectively exposing kernel memory contents. This flaw can allow a malicious actor with the ability to load or query BPF cgroup keys to read sensitive data from the kernel, leading to an information disclosure that could be leveraged for further attacks. The weakness stems from improperly checking list boundaries, resulting in an out-of-bounds read. No arbitrary code execution capability is directly demonstrated, but the data leakage is significant.

All Linux kernel installations that have not applied the recent BPF patch. The CVE affects any kernel that includes the cgroup_storage_get_next_key() function without the fix, which spans the vast majority of active kernel versions prior to the commit referenced. Administrators should check whether their running kernel corresponds to a version before the fix or if the kernel is unpatched.

The CVSS score is not provided in the CVE listing, and the EPSS score is unavailable, so a precise exploitation probability cannot be quantified. Nevertheless, the issue is a kernel memory disclosure flaw, and given that BPF can be executed by users with appropriate privileges, the vulnerability is a notable risk for systems that expose BPF functionality. The vulnerability is not currently catalogued in CISA’s KEV, suggesting no widespread exploitation has been observed. The most likely attack vector would involve a BPF program that queries cgroup keys, which may be performed by users with CAP_SYS_ADMIN or by applications with elevated privileges. Because the fault leads to a kernel read error, exploitation requires careful construction of a key query that triggers the end-of-list misdetection.