Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: fix mm lifecycle in open-coded task_vma iterator

The open-coded task_vma iterator reads task->mm locklessly and acquires
mmap_read_trylock() but never calls mmget(). If the task exits
concurrently, the mm_struct can be freed as it is not
SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free.

Safely read task->mm with a trylock on alloc_lock and acquire an mm
reference. Drop the reference via bpf_iter_mmput_async() in _destroy()
and error paths. bpf_iter_mmput_async() is a local wrapper around
mmput_async() with a fallback to mmput() on !CONFIG_MMU.

Reject irqs-disabled contexts (including NMI) up front. Operations used
by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async)
take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from
NMI or from a tracepoint that fires with those locks held could
deadlock.

A trylock on alloc_lock is used instead of the blocking task_lock()
(get_task_mm) to avoid a deadlock when a softirq BPF program iterates
a task that already holds its alloc_lock on the same CPU.
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An open-coded task_vma iterator in the Linux kernel reads the task structure’s mm field locklessly, relying on mmap_read_trylock() but omitting an mmget() call. If the target process terminates concurrently, its mm_struct can be freed while the iterator still holds a stale pointer, creating a use-after-free that corrupts kernel memory. The fix introduces mm reference counting, a trylock on alloc_lock, and additional context checks to prevent concurrent access to a deallocated mm_struct. This flaw is a classic use‑after‑free that can lead to kernel code execution or a crash.

Affected Systems

All Linux kernel releases that lack the commit 239cec25a22662dbd80f57d94b38178c8be95269 or subsequent backports are affected. The issue resides in the BPF subsystem and therefore applies to all kernel configurations that enable eBPF program loading.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, and the EPSS score of < 1% shows that the probability of exploitation is currently low. The vulnerability is not included in CISA’s KEV catalog. Based on the description, it is inferred that exploitation requires the attacker to load or execute a BPF program that uses the task_vma iterator; therefore the likely attack vector is local and limited to privilege that can load BPF programs. If successful, an attacker could achieve arbitrary kernel memory overwrite, leading to privilege escalation or denial of service.

Generated by OpenCVE AI on June 28, 2026 at 14:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that incorporates commit 239cec25a22662dbd80f57d94b38178c8be95269 or later, which implements proper mm reference counting and context checks for the BPF task_vma iterator.
  • If an immediate kernel upgrade is not possible, reduce the risk by restricting the ability to load arbitrary BPF programs—for example, revoke CAP_BPF from non‑trusted users, thereby limiting the attack surface that can trigger the flaw.
  • If BPF support is not essential to your environment, consider disabling the BPF subsystem in the kernel configuration or applying a mandatory access control policy (e.g., SELinux, AppArmor) to constrain BPF program execution.

Generated by OpenCVE AI on June 28, 2026 at 14:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Sat, 27 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: fix mm lifecycle in open-coded task_vma iterator The open-coded task_vma iterator reads task->mm locklessly and acquires mmap_read_trylock() but never calls mmget(). If the task exits concurrently, the mm_struct can be freed as it is not SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free. Safely read task->mm with a trylock on alloc_lock and acquire an mm reference. Drop the reference via bpf_iter_mmput_async() in _destroy() and error paths. bpf_iter_mmput_async() is a local wrapper around mmput_async() with a fallback to mmput() on !CONFIG_MMU. Reject irqs-disabled contexts (including NMI) up front. Operations used by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async) take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from NMI or from a tracepoint that fires with those locks held could deadlock. A trylock on alloc_lock is used instead of the blocking task_lock() (get_task_mm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc_lock on the same CPU.
Title bpf: fix mm lifecycle in open-coded task_vma iterator
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:45:04.149Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53085

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53085 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference