CVE-2026-53096 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path

The DEVMAP_HASH branch in dev_map_redirect_multi() uses
hlist_for_each_entry_safe() to iterate hash buckets, but this function
runs under RCU protection (called from xdp_do_generic_redirect_map()
in softirq context). Concurrent writers (__dev_map_hash_update_elem,
dev_map_hash_delete_elem) modify the list using RCU primitives
(hlist_add_head_rcu, hlist_del_rcu).

hlist_for_each_entry_safe() performs plain pointer dereferences without
rcu_dereference(), missing the acquire barrier needed to pair with
writers' rcu_assign_pointer(). On weakly-ordered architectures (ARM64,
POWER), a reader can observe a partially-constructed node. It also
defeats CONFIG_PROVE_RCU lockdep validation and KCSAN data-race
detection.

Replace with hlist_for_each_entry_rcu() using rcu_read_lock_bh_held()
as the lockdep condition, consistent with the rcu_dereference_check()
used in the DEVMAP (non-hash) branch of the same functions. Also fix
the same incorrect lockdep_is_held(&dtab->index_lock) condition in
dev_map_enqueue_multi(), where the lock is not held either.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A missing RCU acquire barrier in the dev_map_redirect_multi() function allows a reader to access a partially-constructed hash bucket node on weakly-ordered architectures. The race between a concurrent writer using RCU primitives and the unsafe iterator can lead to inconsistent memory views, evading lock‑dependency checks and data‑race detectors and potentially corrupting kernel memory. The impact is an uncontrolled modification of kernel data structures, which may cause crashes, loss of data integrity, or, in the worst case, a local privilege escalation if an attacker can influence the iterated data.

Affected Systems

Both the Linux and Linux kernel CNA vendors are affected. Any production kernel code that contains the dev_map_redirect_multi() path in the devmap hash branch and runs on ARM64 or POWER while using XDP to redirect packets is vulnerable. The exact version range is not enumerated, but the issue remains present until the patch that replaces the unsafe iterator and fixes the lock‑dep condition is included in upstream releases.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA KEV, giving no immediate indication of active exploitation. However, the CVSS score is not listed either, so the theoretical severity rests on the nature of a race condition that can corrupt kernel memory. If an attacker can trigger the sensitive XDP code path in a privileged context, the risk can be elevated to a high severity. The likely attack vector is a local kernel exploitation scenario where an attacker can control XDP programs or network traffic to the device that triggers the race. Remediation through a kernel patch mitigates the risk by restoring proper RCU ordering.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e624d4ed4aa8cc3c69d1359b0aaea539203ed266`	affected	< 4a3d0fe30b907ff324b1b49756f7e713d67f3645
`e624d4ed4aa8cc3c69d1359b0aaea539203ed266`	affected	< b089aa6e94d7a08e74d076a0fe274842dc9feccc
`e624d4ed4aa8cc3c69d1359b0aaea539203ed266`	affected	< 571a05ea1baaccc0dc1e0d227b2cbc978b96d392
`e624d4ed4aa8cc3c69d1359b0aaea539203ed266`	affected	< cb2c1f3cf65b855548e1b8d55a08bfbaa5a0901a
`e624d4ed4aa8cc3c69d1359b0aaea539203ed266`	affected	< d4c4bd231ebad70e6f30db429e9640bf378b2f52
`e624d4ed4aa8cc3c69d1359b0aaea539203ed266`	affected	< 7027e705062482a8cea43a1c13ede3c35653966f
`e624d4ed4aa8cc3c69d1359b0aaea539203ed266`	affected	< 8ed82f807bb09d2c8455aaa665f2c6cb17bc6a19

Linux

affected

Version	Status	Constraints
`5.14`	affected	—
`0`	unaffected	< 5.14
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel release that includes the RCU‑safe iterator patch for dev_map_redirect_multi()
Reboot affected hosts after the kernel update to ensure the new binary is active
Restart network interfaces that use XDP to force reload programs after the kernel update

Generated by OpenCVE AI on June 24, 2026 at 20:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4a3d0fe30b907ff324b1b49756f7e713d67f3645
https://git.kernel.org/stable/c/571a05ea1baaccc0dc1e0d227b2cbc978b96d392
https://git.kernel.org/stable/c/7027e705062482a8cea43a1c13ede3c35653966f
https://git.kernel.org/stable/c/8ed82f807bb09d2c8455aaa665f2c6cb17bc6a19
https://git.kernel.org/stable/c/b089aa6e94d7a08e74d076a0fe274842dc9feccc
https://git.kernel.org/stable/c/cb2c1f3cf65b855548e1b8d55a08bfbaa5a0901a
https://git.kernel.org/stable/c/d4c4bd231ebad70e6f30db429e9640bf378b2f52

History

Wed, 24 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-603 CWE-815

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path The DEVMAP_HASH branch in dev_map_redirect_multi() uses hlist_for_each_entry_safe() to iterate hash buckets, but this function runs under RCU protection (called from xdp_do_generic_redirect_map() in softirq context). Concurrent writers (__dev_map_hash_update_elem, dev_map_hash_delete_elem) modify the list using RCU primitives (hlist_add_head_rcu, hlist_del_rcu). hlist_for_each_entry_safe() performs plain pointer dereferences without rcu_dereference(), missing the acquire barrier needed to pair with writers' rcu_assign_pointer(). On weakly-ordered architectures (ARM64, POWER), a reader can observe a partially-constructed node. It also defeats CONFIG_PROVE_RCU lockdep validation and KCSAN data-race detection. Replace with hlist_for_each_entry_rcu() using rcu_read_lock_bh_held() as the lockdep condition, consistent with the rcu_dereference_check() used in the DEVMAP (non-hash) branch of the same functions. Also fix the same incorrect lockdep_is_held(&dtab->index_lock) condition in dev_map_enqueue_multi(), where the lock is not held either.
Title		bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4a3d0fe30b907ff324b1b49756f7e713d67f3645 https://git.kernel.org/stable/c/571a05ea1baaccc0dc1e0d227b2cbc978b96d392 https://git.kernel.org/stable/c/7027e705062482a8cea43a1c13ede3c35653966f https://git.kernel.org/stable/c/8ed82f807bb09d2c8455aaa665f2c6cb17bc6a19 https://git.kernel.org/stable/c/b089aa6e94d7a08e74d076a0fe274842dc9feccc https://git.kernel.org/stable/c/cb2c1f3cf65b855548e1b8d55a08bfbaa5a0901a https://git.kernel.org/stable/c/d4c4bd231ebad70e6f30db429e9640bf378b2f52

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:34.477Z

Updated: 2026-06-24T16:30:34.477Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53096

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T21:00:11Z

Weaknesses

CWE-603
Use of Client-Side Authentication
CWE-815

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object