Impact
The Linux kernel contains a flaw in the handling of BPF local storage deletion during a non‑maskable interrupt (NMI). When a BPF helper attempts to delete a storage element while an NMI is in progress, the kernel may deadlock because RCU callbacks such as kfree_rcu() can block in this context. The developers added a guard that returns an error when the deletion helper is called from NMI, but the issue can still arise in re‑entrant code. The vulnerability does not provide direct code execution; instead, it risks a system‑wide denial of service by freezing the kernel when a critical data path is blocked. This vulnerability is a CWE‑400 denial‑of‑service weakness.
Affected Systems
This bug resides in the mainline Linux kernel and affects any distribution that ships an unpatched version of the kernel. All kernels prior to the commit that introduced the fix are vulnerable. Systems that load BPF programs calling bpf_xxx_storage_delete() during an NMI or re‑entrant scenario are at risk, regardless of specific distribution name.
Risk and Exploitability
The CVSS score is 5.5 and the EPSS is < 1%, and the vulnerability is not listed in CISA’s KEV catalog, indicating a moderate exposure. Exploitation would require a privileged or local kernel attacker who can load a BPF program that triggers the deletion helper while NMIs or re‑entrant code paths are active. The partial mitigation that returns an error during NMI reduces the likelihood of a deadlock from that specific context, but re‑entrant deadlock remains possible. The risk is primarily a denial of service that could affect availability of the entire system.
OpenCVE Enrichment