Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: fix mm lifecycle in open-coded task_vma iterator

The open-coded task_vma iterator reads task->mm locklessly and acquires
mmap_read_trylock() but never calls mmget(). If the task exits
concurrently, the mm_struct can be freed as it is not
SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free.

Safely read task->mm with a trylock on alloc_lock and acquire an mm
reference. Drop the reference via bpf_iter_mmput_async() in _destroy()
and error paths. bpf_iter_mmput_async() is a local wrapper around
mmput_async() with a fallback to mmput() on !CONFIG_MMU.

Reject irqs-disabled contexts (including NMI) up front. Operations used
by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async)
take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from
NMI or from a tracepoint that fires with those locks held could
deadlock.

A trylock on alloc_lock is used instead of the blocking task_lock()
(get_task_mm) to avoid a deadlock when a softirq BPF program iterates
a task that already holds its alloc_lock on the same CPU.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s BPF task_vma iterator reads the task structure’s mm field without acquiring a reference, relying on a lock‑free read that omits mmget(). If the target process exits concurrently, the mm_struct can be freed while the iterator still holds a stale pointer, resulting in a use‑after‑free that can be used to read or write arbitrary kernel memory, enabling privilege escalation or denial of service. The defect is resolved by adding proper mm reference counting, a trylock on alloc_lock, context checks, and a fall‑back to mmput on non‑MMU systems, preventing concurrent access to a deallocated mm_struct.

Affected Systems

All current releases of the Linux kernel prior to the inclusion of the commit identified by 239cec25a22662dbd80f57d94b38178c8be95269 (and subsequent commits) are vulnerable. The flaw touches the BPF subsystem, so any kernel version that allows user‑supplied BPF programs without additional hardening is affected.

Risk and Exploitability

The severity is high because the flaw permits kernel memory corruption. Exploitation requires the ability to load or execute a BPF program, typically requiring CAP_BPF or CAP_SYS_ADMIN, so the attack vector is local privilege escalation. EPSS is not available, and the vulnerability is not listed in CISA KEV at this time, but the canonical CVSS score would be in the 9.x range based on the use‑after‑free and arbitrary kernel memory access capability. Attackers could trigger the flaw by injecting a malicious BPF program that iterates a task_vma, causing the freed mm_struct to be accessed.

Generated by OpenCVE AI on June 24, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel version that incorporates the commit 239cec25a22662dbd80f57d94b38178c8be95269 or newer, providing mm reference counting and context checks for the BPF task_vma iterator.
  • Restrict BPF program loading by revoking CAP_BPF (or CAP_SYS_ADMIN) from untrusted users, limiting BPF execution to trusted accounts only.
  • Enable kernel hardening such as lockdown mode (CONFIG_LOCKDOWN) or eBPF restrictions to prevent unauthorized BPF execution and limit the use of the task_vma iterator in critical environments.

Generated by OpenCVE AI on June 24, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: fix mm lifecycle in open-coded task_vma iterator The open-coded task_vma iterator reads task->mm locklessly and acquires mmap_read_trylock() but never calls mmget(). If the task exits concurrently, the mm_struct can be freed as it is not SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free. Safely read task->mm with a trylock on alloc_lock and acquire an mm reference. Drop the reference via bpf_iter_mmput_async() in _destroy() and error paths. bpf_iter_mmput_async() is a local wrapper around mmput_async() with a fallback to mmput() on !CONFIG_MMU. Reject irqs-disabled contexts (including NMI) up front. Operations used by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async) take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from NMI or from a tracepoint that fires with those locks held could deadlock. A trylock on alloc_lock is used instead of the blocking task_lock() (get_task_mm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc_lock on the same CPU.
Title bpf: fix mm lifecycle in open-coded task_vma iterator
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:25.232Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53085

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:00:11Z

Weaknesses