Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix use-after-free in offloaded map/prog info fill

When querying info for an offloaded BPF map or program,
bpf_map_offload_info_fill_ns() and bpf_prog_offload_info_fill_ns()
obtain the network namespace with get_net(dev_net(offmap->netdev)).
However, the associated netdev's netns may be racing with teardown
during netns destruction. If the netns refcount has already reached 0,
get_net() performs a refcount_t increment on 0, triggering:

refcount_t: addition on 0; use-after-free.

Although rtnl_lock and bpf_devs_lock ensure the netdev pointer remains
valid, they cannot prevent the netns refcount from reaching zero.

Fix this by using maybe_get_net() instead of get_net(). maybe_get_net()
uses refcount_inc_not_zero() and returns NULL if the refcount is already
zero, which causes ns_get_path_cb() to fail and the caller to return
-ENOENT -- the correct behavior when the netns is being destroyed.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw exists in the kernel paths that gather information about offloaded BPF maps or programs. When the underlying network namespace is being torn down, the kernel may increment a reference count on a zeroed object, causing a memory fault. If an attacker can trigger the code path, the fault could lead to a kernel panic or, in some circumstances, arbitrary code execution. The impact is therefore a potential denial‑of‑service or escalation of privileges, depending on exploit conditions.

Affected Systems

All Linux kernel distributions that shipped a kernel version prior to the application of the fix referenced in the advisory. The vendor list includes the generic Linux kernel; no specific version numbers are supplied, so any kernel that still contains the vulnerable paths is affected.

Risk and Exploitability

The vulnerability is not listed by CISA as a Known Exploited Vulnerability and no EPSS score is available. The absence of CVSS data means the precise severity cannot be quantified here, but use‑after‑free flaws in kernel code are typically considered high risk. Exploitation would likely require local or privileged access and an ability to execute BPF programs that query information about offloaded maps or programs in a context where the network namespace may be tearing down. The entry does not appear to offer a publicly documented workaround, so the only effective defense is applying the fixed kernel.

Generated by OpenCVE AI on June 24, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that contains the commit to replace get_net() with maybe_get_net() in bpf_map_offload_info_fill_ns() and bpf_prog_offload_info_fill_ns()
  • Verify that the distribution’s security team has merged the relevant patch into the next stable kernel release and enroll the system in that release cycle
  • If an immediate kernel update is not possible, disable offload of BPF maps or programs or isolate the affected hosts from untrusted networks until the patch is applied

Generated by OpenCVE AI on June 24, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-590

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in offloaded map/prog info fill When querying info for an offloaded BPF map or program, bpf_map_offload_info_fill_ns() and bpf_prog_offload_info_fill_ns() obtain the network namespace with get_net(dev_net(offmap->netdev)). However, the associated netdev's netns may be racing with teardown during netns destruction. If the netns refcount has already reached 0, get_net() performs a refcount_t increment on 0, triggering: refcount_t: addition on 0; use-after-free. Although rtnl_lock and bpf_devs_lock ensure the netdev pointer remains valid, they cannot prevent the netns refcount from reaching zero. Fix this by using maybe_get_net() instead of get_net(). maybe_get_net() uses refcount_inc_not_zero() and returns NULL if the refcount is already zero, which causes ns_get_path_cb() to fail and the caller to return -ENOENT -- the correct behavior when the netns is being destroyed.
Title bpf: Fix use-after-free in offloaded map/prog info fill
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:28.531Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53089

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:00:11Z

Weaknesses
  • CWE-590

    Free of Memory not on the Heap