Home

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progs_hlist' in 'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in 'bpf_shim_tramp_link_release' is deferred. During this window, another process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'. Based on Martin KaFai Lau's suggestions, I have created a simple patch. To fix this: Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'. Only increment the refcount if it is not already zero. Testing: I verified the fix by adding a delay in 'bpf_shim_tramp_link_release' to make the bug easier to trigger: static void bpf_shim_tramp_link_release(struct bpf_link *link) { /* ... */ if (!shim_link->trampoline) return; + msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link, shim_link->trampoline, NULL)); bpf_trampoline_put(shim_link->trampoline); } Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations.

PUBLISHED Reserved 2026-01-13 | Published 2026-03-25 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e (git) before 529e685e522b9d7fb379dbe6929dcdf520e34c8c
affected

69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e (git) before 9b02c5c4147f8af8ed783c8deb5df927a55c3951
affected

69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e (git) before cfcfa0ca0212162aa472551266038e8fd6768cff
affected

69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e (git) before 3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2
affected

69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e (git) before 4e8a0005d633a4adc98e3b65d5080f93b90d356b
affected

69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e (git) before 56145d237385ca0e7ca9ff7b226aaf2eb8ef368b
affected

Default status
affected

6.0
affected

Any version before 6.0
unaffected

6.1.167 (semver)
unaffected

6.6.130 (semver)
unaffected

6.12.77 (semver)
unaffected

6.18.17 (semver)
unaffected

6.19.7 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/529e685e522b9d7fb379dbe6929dcdf520e34c8c

git.kernel.org/...c/9b02c5c4147f8af8ed783c8deb5df927a55c3951

git.kernel.org/...c/cfcfa0ca0212162aa472551266038e8fd6768cff

git.kernel.org/...c/3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2

git.kernel.org/...c/4e8a0005d633a4adc98e3b65d5080f93b90d356b

git.kernel.org/...c/56145d237385ca0e7ca9ff7b226aaf2eb8ef368b

cve.org (CVE-2026-23319)

nvd.nist.gov (CVE-2026-23319)

Download JSON