Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: return VMA snapshot from task_vma iterator

Holding the per-VMA lock across the BPF program body creates a lock
ordering problem when helpers acquire locks that depend on mmap_lock:

vm_lock -> i_rwsem -> mmap_lock -> vm_lock

Snapshot the VMA under the per-VMA lock in _next() via memcpy(), then
drop the lock before returning. The BPF program accesses only the
snapshot.

The verifier only trusts vm_mm and vm_file pointers (see
BTF_TYPE_SAFE_TRUSTED_OR_NULL in verifier.c). vm_file is reference-
counted with get_file() under the lock and released via fput() on the
next iteration or in _destroy(). vm_mm is already correct because
lock_vma_under_rcu() verifies vma->vm_mm == mm. All other pointers
are left as-is by memcpy() since the verifier treats them as untrusted.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the per‑VMA lock is held across the execution of a BPF program, creating a lock ordering problem with helpers that depend on mmap_lock. This ordering (vm_lock → i_rwsem → mmap_lock → vm_lock) can lead to deadlock or inconsistent access to kernel data structures. The verifier trusts only the vm_mm and vm_file pointers, which are protected, but other pointers are left untrusted and may be copied, meaning that the bug could allow a kernel crash or denial of service if an attacker can execute specially crafted BPF code. No remote code execution or privilege escalation is described, but a local practitioner could potentially trigger instability by loading malicious BPF programs.

Affected Systems

Linux kernel, all versions prior to the fix contained in the patch referenced in the advisory. No specific release numbers are listed, so all kernels running before the update are considered affected.

Risk and Exploitability

The CVSS score is not provided and the EPSS score is unavailable, indicating no quantitative assessment of risk. The vulnerability does not appear in CISA’s KEV catalog. The attack vector is inferred to be local; an attacker would need to run privileged or trusted BPF programs to exploit the lock ordering violation. Because no active exploitation reports are available, the risk is largely theoretical, though a kernel panic or denial of service could result if the issue is triggered in a production environment.

Generated by OpenCVE AI on June 24, 2026 at 19:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to the latest stable release that contains the patch for CVE-2026-53084.
  • If an immediate kernel upgrade is not possible, restrict or disable the loading of eBPF programs for untrusted users to mitigate the risk of a kernel crash caused by malicious BPF code.
  • Restart the system to ensure the updated kernel is active and monitor system logs for BPF‑related errors or crashes.

Generated by OpenCVE AI on June 24, 2026 at 19:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: return VMA snapshot from task_vma iterator Holding the per-VMA lock across the BPF program body creates a lock ordering problem when helpers acquire locks that depend on mmap_lock: vm_lock -> i_rwsem -> mmap_lock -> vm_lock Snapshot the VMA under the per-VMA lock in _next() via memcpy(), then drop the lock before returning. The BPF program accesses only the snapshot. The verifier only trusts vm_mm and vm_file pointers (see BTF_TYPE_SAFE_TRUSTED_OR_NULL in verifier.c). vm_file is reference- counted with get_file() under the lock and released via fput() on the next iteration or in _destroy(). vm_mm is already correct because lock_vma_under_rcu() verifies vma->vm_mm == mm. All other pointers are left as-is by memcpy() since the verifier treats them as untrusted.
Title bpf: return VMA snapshot from task_vma iterator
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:24.356Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53084

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T19:15:15Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')