Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix RCU stall in bpf_fd_array_map_clear()

Add a missing cond_resched() in bpf_fd_array_map_clear() loop.

For PROG_ARRAY maps with many entries this loop calls
prog_array_map_poke_run() per entry which can be expensive, and
without yielding this can cause RCU stalls under load:

rcu: Stack dump where RCU GP kthread last ran:
CPU: 0 UID: 0 PID: 30932 Comm: kworker/0:2 Not tainted 6.14.0-13195-g967e8def1100 #2 PREEMPT(undef)
Workqueue: events prog_array_map_clear_deferred
RIP: 0010:write_comp_data+0x38/0x90 kernel/kcov.c:246
Call Trace:
<TASK>
prog_array_map_poke_run+0x77/0x380 kernel/bpf/arraymap.c:1096
__fd_array_map_delete_elem+0x197/0x310 kernel/bpf/arraymap.c:925
bpf_fd_array_map_clear kernel/bpf/arraymap.c:1000 [inline]
prog_array_map_clear_deferred+0x119/0x1b0 kernel/bpf/arraymap.c:1141
process_one_work+0x898/0x19d0 kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x770/0x10b0 kernel/workqueue.c:3400
kthread+0x465/0x880 kernel/kthread.c:464
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x19/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the Linux kernel BPF subsystem, where the bpf_fd_array_map_clear function neglects to yield the CPU during a loop that clears entries from a PROG_ARRAY map. Especially for maps containing many elements, the loop invokes a resource‑intensive operation for each entry, which can cause the RCU subsystem to stall under load. The stall manifests as a delay in RCU callbacks and can leave the system unresponsive, effectively creating a denial‑of‑service condition. This deficiency aligns with the CWE‑400 Resource Exhaustion weakness, as the kernel fails to give up the CPU during an extended operation, exhausting system resources.

Affected Systems

The flaw affects the Linux operating system kernel in all releases that include the bpf_fd_array_map_clear function and were released before the patch that adds cond_resched. The bug was observed in kernel 6.14.0-13195-g967e8def1100, but the fix applies to any version that incorporates the commit series linked in the advisory references. Administrators should review their kernel version and consider a kernel upgrade to a release that includes the patch.

Risk and Exploitability

No CVSS score or EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, implying no publicly known widespread exploits at the time of writing. However, because the bug can be triggered by clearing large BPF maps under heavy load, it poses a significant risk in environments with frequent BPF operations. The likely attack vector requires the ability to manipulate BPF maps – typically a privileged user or a process with elevated capabilities – but could be leveraged remotely if the application layer exposes BPF functionality to untrusted users. Therefore, the risk remains high for systems that execute frequent BPF clear operations and should be treated with priority.

Generated by OpenCVE AI on June 24, 2026 at 19:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the fix for bpf_fd_array_map_clear, such as kernel releases that include the commit 4406942e65ca128c56c67443832988873c21d2e9.
  • If an immediate kernel upgrade is not possible, limit the use of large PROG_ARRAY maps and avoid clearing them under high load; schedule clear operations during low‑activity periods.
  • Implement monitoring for RCU stall conditions and kernel logs that indicate delayed workqueue processing, and adjust workloads accordingly.

Generated by OpenCVE AI on June 24, 2026 at 19:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix RCU stall in bpf_fd_array_map_clear() Add a missing cond_resched() in bpf_fd_array_map_clear() loop. For PROG_ARRAY maps with many entries this loop calls prog_array_map_poke_run() per entry which can be expensive, and without yielding this can cause RCU stalls under load: rcu: Stack dump where RCU GP kthread last ran: CPU: 0 UID: 0 PID: 30932 Comm: kworker/0:2 Not tainted 6.14.0-13195-g967e8def1100 #2 PREEMPT(undef) Workqueue: events prog_array_map_clear_deferred RIP: 0010:write_comp_data+0x38/0x90 kernel/kcov.c:246 Call Trace: <TASK> prog_array_map_poke_run+0x77/0x380 kernel/bpf/arraymap.c:1096 __fd_array_map_delete_elem+0x197/0x310 kernel/bpf/arraymap.c:925 bpf_fd_array_map_clear kernel/bpf/arraymap.c:1000 [inline] prog_array_map_clear_deferred+0x119/0x1b0 kernel/bpf/arraymap.c:1141 process_one_work+0x898/0x19d0 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x770/0x10b0 kernel/workqueue.c:3400 kthread+0x465/0x880 kernel/kthread.c:464 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x19/0x30 arch/x86/entry/entry_64.S:245 </TASK>
Title bpf: Fix RCU stall in bpf_fd_array_map_clear()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:23.568Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53083

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T19:15:15Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption