Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix RCU stall in bpf_fd_array_map_clear()

Add a missing cond_resched() in bpf_fd_array_map_clear() loop.

For PROG_ARRAY maps with many entries this loop calls
prog_array_map_poke_run() per entry which can be expensive, and
without yielding this can cause RCU stalls under load:

rcu: Stack dump where RCU GP kthread last ran:
CPU: 0 UID: 0 PID: 30932 Comm: kworker/0:2 Not tainted 6.14.0-13195-g967e8def1100 #2 PREEMPT(undef)
Workqueue: events prog_array_map_clear_deferred
RIP: 0010:write_comp_data+0x38/0x90 kernel/kcov.c:246
Call Trace:
<TASK>
prog_array_map_poke_run+0x77/0x380 kernel/bpf/arraymap.c:1096
__fd_array_map_delete_elem+0x197/0x310 kernel/bpf/arraymap.c:925
bpf_fd_array_map_clear kernel/bpf/arraymap.c:1000 [inline]
prog_array_map_clear_deferred+0x119/0x1b0 kernel/bpf/arraymap.c:1141
process_one_work+0x898/0x19d0 kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x770/0x10b0 kernel/workqueue.c:3400
kthread+0x465/0x880 kernel/kthread.c:464
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x19/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the Linux kernel BPF subsystem when the bpf_fd_array_map_clear function fails to yield the CPU during a loop that clears entries from a PROG_ARRAY map. The loop repeatedly calls a resource‑intensive routine and, without a call to cond_resched(), can cause the RCU subsystem to stall under heavy load. When RCU stalls, callbacks and workqueue items are delayed, which can make the system unresponsive and effectively result in a denial‑of classified as CWE‑820, indicating improper restriction of operations in a critical subsystem.

Affected Systems

The flaw affects all Linux kernel releases that contain the bpf_fd_array_map_clear function before the patch commit 4406942e65ca128c56c67443832988873c21d2e9 is applied. Kernels older than or equal to 6.14.0-13195-g967e8def1100 are known to be vulnerable, and the advisory references list the precise commit series that add the missing cond_resched().

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity, while the EPSS score of < 1% shows that the is not listed in CISA’s KEV catalog. The description and logs suggest that the attack vector requires control over large BPF PROG_ARRAY maps, typically inherited by privileged users or applications that expose BPF functionality to untrusted code. Since the vulnerability is triggered by clearing many entries under load, the risk is moderate rather than high, but the potential impact of an RCU stall justifies prompt remediation. (The inferred attack vector is outlined because it is not explicitly stated in the official description.)

Generated by OpenCVE AI on June 27, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the patch commit 4406942e65ca128c56c67443832988873c21d2e9 ensuring cond_resched() is present in bpf_fd_array_map_clear.
  • If a kernel upgrade cannot be performed immediately, limit operations that clear large PROG_ARRAY maps and schedule such clearances during periods of low system activity to avoid prolonged RCU stalls.
  • Set up monitoring for RCU stall indicators and review kernel logs for delayed workqueue processing, adjusting workloads or kernel parameters as needed to mitigate potential performance regressions.

Generated by OpenCVE AI on June 27, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-820
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix RCU stall in bpf_fd_array_map_clear() Add a missing cond_resched() in bpf_fd_array_map_clear() loop. For PROG_ARRAY maps with many entries this loop calls prog_array_map_poke_run() per entry which can be expensive, and without yielding this can cause RCU stalls under load: rcu: Stack dump where RCU GP kthread last ran: CPU: 0 UID: 0 PID: 30932 Comm: kworker/0:2 Not tainted 6.14.0-13195-g967e8def1100 #2 PREEMPT(undef) Workqueue: events prog_array_map_clear_deferred RIP: 0010:write_comp_data+0x38/0x90 kernel/kcov.c:246 Call Trace: <TASK> prog_array_map_poke_run+0x77/0x380 kernel/bpf/arraymap.c:1096 __fd_array_map_delete_elem+0x197/0x310 kernel/bpf/arraymap.c:925 bpf_fd_array_map_clear kernel/bpf/arraymap.c:1000 [inline] prog_array_map_clear_deferred+0x119/0x1b0 kernel/bpf/arraymap.c:1141 process_one_work+0x898/0x19d0 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x770/0x10b0 kernel/workqueue.c:3400 kthread+0x465/0x880 kernel/kthread.c:464 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x19/0x30 arch/x86/entry/entry_64.S:245 </TASK>
Title bpf: Fix RCU stall in bpf_fd_array_map_clear()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:23.568Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53083

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53083 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T05:30:11Z

Weaknesses