Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix use-after-free in offloaded map/prog info fill

When querying info for an offloaded BPF map or program,
bpf_map_offload_info_fill_ns() and bpf_prog_offload_info_fill_ns()
obtain the network namespace with get_net(dev_net(offmap->netdev)).
However, the associated netdev's netns may be racing with teardown
during netns destruction. If the netns refcount has already reached 0,
get_net() performs a refcount_t increment on 0, triggering:

refcount_t: addition on 0; use-after-free.

Although rtnl_lock and bpf_devs_lock ensure the netdev pointer remains
valid, they cannot prevent the netns refcount from reaching zero.

Fix this by using maybe_get_net() instead of get_net(). maybe_get_net()
uses refcount_inc_not_zero() and returns NULL if the refcount is already
zero, which causes ns_get_path_cb() to fail and the caller to return
-ENOENT -- the correct behavior when the netns is being destroyed.
Published: 2026-06-24
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw exists in kernel functions that gather information about offloaded BPF maps or programs. When the network namespace is being torn down, the kernel may increment a reference count on a zeroed object, triggering a memory fault. Based on the description, it is inferred that an attacker could trigger the vulnerable code path while the namespace is being destroyed, potentially leading to a kernel panic or arbitrary code execution, which could manifest as denial‑of‑service or privilege escalation.

Affected Systems

All Linux kernel distributions that shipped a kernel version prior to the application of the fix referenced in the advisory. The vendor list indicates that every deployment using the generic Linux kernel is vulnerable until the fix is applied.

Risk and Exploitability

The CVSS score of 7.0 indicates high severity, while the EPSS score of <1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that exploitation would likely require local or privileged access, enabling an attacker to inject a BPF program that queries information about offloaded maps or programs during a network namespace teardown. There is no publicly documented workaround, so the only effective defense is applying the fixed kernel.

Generated by OpenCVE AI on June 27, 2026 at 03:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that contains the commit to replace get_net() with maybe_get_net() in bpf_map_offload_info_fill_ns() and bpf_prog_off()
  • Verify that the distribution’s security team has merged the relevant patch into the next stable kernel release and enroll the system in that release cycle
  • If an immediate kernel update is not possible, disable offload of BPF maps or programs or isolate the affected hosts from untrusted networks until the patch is applied

Generated by OpenCVE AI on June 27, 2026 at 03:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-590

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in offloaded map/prog info fill When querying info for an offloaded BPF map or program, bpf_map_offload_info_fill_ns() and bpf_prog_offload_info_fill_ns() obtain the network namespace with get_net(dev_net(offmap->netdev)). However, the associated netdev's netns may be racing with teardown during netns destruction. If the netns refcount has already reached 0, get_net() performs a refcount_t increment on 0, triggering: refcount_t: addition on 0; use-after-free. Although rtnl_lock and bpf_devs_lock ensure the netdev pointer remains valid, they cannot prevent the netns refcount from reaching zero. Fix this by using maybe_get_net() instead of get_net(). maybe_get_net() uses refcount_inc_not_zero() and returns NULL if the refcount is already zero, which causes ns_get_path_cb() to fail and the caller to return -ENOENT -- the correct behavior when the netns is being destroyed.
Title bpf: Fix use-after-free in offloaded map/prog info fill
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:28.531Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53089

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53089 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T03:15:04Z

Weaknesses
  • CWE-590

    Free of Memory not on the Heap

  • CWE-911

    Improper Update of Reference Count