Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Do not allow deleting local storage in NMI

Currently, local storage may deadlock when deferring freeing selem or
local storage through kfree_rcu(), call_rcu() or call_rcu_tasks_trace()
in NMI or reentrant. Since deleting selem in NMI is an unlikely use
case, partially mitigate it by returning error when calling from
bpf_xxx_storage_delete() helpers in NMI. Note that, it is still possible
to deadlock through reentrant. A full mitigation requires returning
error when irqs_disabled() is true, which, however is too heavy-handed
for bpf_xxx_storage_delete().

The long-term solution requires _nolock versions of call_rcu. Another
possible solution is to defer the free through irq_work [0], but it
would grow the size of selem, which is non-ideal.

The check is only needed in bpf_selem_unlink(), which is used by helpers
and syscalls. bpf_selem_unlink_nofail() is fine as it is called during
map and owner tear down that never run in NMI or reentrant.

[0] https://lore.kernel.org/bpf/20260205190233.912-1-alexei.starovoitov@gmail.com/
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a flaw in the handling of BPF local storage deletion during a non‑maskable interrupt (NMI). When a BPF helper attempts to delete a storage element while an NMI is in progress, the kernel may deadlock because RCU callbacks such as kfree_rcu() can block in this context. The developers added a guard that returns an error when the deletion helper is called from NMI, but the issue can still arise in re‑entrant code. The vulnerability does not provide direct code execution; instead, it risks a system‑wide denial of service by freezing the kernel when a critical data path is blocked. This vulnerability is a CWE‑400 denial‑of‑service weakness.

Affected Systems

This bug resides in the mainline Linux kernel and affects any distribution that ships an unpatched version of the kernel. All kernels prior to the commit that introduced the fix are vulnerable. Systems that load BPF programs calling bpf_xxx_storage_delete() during an NMI or re‑entrant scenario are at risk, regardless of specific distribution name.

Risk and Exploitability

The CVSS score is 5.5 and the EPSS is < 1%, and the vulnerability is not listed in CISA’s KEV catalog, indicating a moderate exposure. Exploitation would require a privileged or local kernel attacker who can load a BPF program that triggers the deletion helper while NMIs or re‑entrant code paths are active. The partial mitigation that returns an error during NMI reduces the likelihood of a deadlock from that specific context, but re‑entrant deadlock remains possible. The risk is primarily a denial of service that could affect availability of the entire system.

Generated by OpenCVE AI on June 27, 2026 at 02:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel version that includes the patch that blocks local storage deletion when irqs_disabled() is true and during re‑entrant paths
  • Revise BPF programs so that helpers calling bpf_xxx_storage_delete() are never invoked within NMI or re‑entrant contexts
  • If possible, disable or restrict use of bpf_xxx_storage_delete() in high‑availability or kernel‑critical environments
  • Monitor system logs and NMI activity for signs of deadlock or abnormal behavior that may indicate exploitation

Generated by OpenCVE AI on June 27, 2026 at 02:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-833
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Do not allow deleting local storage in NMI Currently, local storage may deadlock when deferring freeing selem or local storage through kfree_rcu(), call_rcu() or call_rcu_tasks_trace() in NMI or reentrant. Since deleting selem in NMI is an unlikely use case, partially mitigate it by returning error when calling from bpf_xxx_storage_delete() helpers in NMI. Note that, it is still possible to deadlock through reentrant. A full mitigation requires returning error when irqs_disabled() is true, which, however is too heavy-handed for bpf_xxx_storage_delete(). The long-term solution requires _nolock versions of call_rcu. Another possible solution is to defer the free through irq_work [0], but it would grow the size of selem, which is non-ideal. The check is only needed in bpf_selem_unlink(), which is used by helpers and syscalls. bpf_selem_unlink_nofail() is fine as it is called during map and owner tear down that never run in NMI or reentrant. [0] https://lore.kernel.org/bpf/20260205190233.912-1-alexei.starovoitov@gmail.com/
Title bpf: Do not allow deleting local storage in NMI
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:41.382Z

Reserved: 2026-06-09T07:44:35.385Z

Link: CVE-2026-53106

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53106 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T02:15:10Z

Weaknesses