Home

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroup_storage_get_next_key() list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace. Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-27 | Updated 2026-06-01 | Assigner Linux

Product status

Default status
unaffected

de9cbbaadba5adf88a19e46df61f7054000838f6 (git) before 0f3d9dd5e1fd52b39e25328307c6a694e994ffe3
affected

de9cbbaadba5adf88a19e46df61f7054000838f6 (git) before 26d3339e465e54107bd85884341d1609c5300d6a
affected

de9cbbaadba5adf88a19e46df61f7054000838f6 (git) before 2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6
affected

de9cbbaadba5adf88a19e46df61f7054000838f6 (git) before b4b5a20bed82130da2f2818f04d52378952fbd0b
affected

de9cbbaadba5adf88a19e46df61f7054000838f6 (git) before 85a2f30e40f7468db732f55659bc6318874f49af
affected

de9cbbaadba5adf88a19e46df61f7054000838f6 (git) before 32ce55d424395904986f5066f8755f6cb9993377
affected

de9cbbaadba5adf88a19e46df61f7054000838f6 (git) before fc39753b7f92e09177777e9c648afe5aa3abb81f
affected

de9cbbaadba5adf88a19e46df61f7054000838f6 (git) before 5828b9e5b272ecff7cf5d345128d3de7324117f7
affected

Default status
affected

4.19
affected

Any version before 4.19
unaffected

5.10.258 (semver)
unaffected

5.15.209 (semver)
unaffected

6.1.175 (semver)
unaffected

6.6.141 (semver)
unaffected

6.12.91 (semver)
unaffected

6.18.33 (semver)
unaffected

7.0.10 (semver)
unaffected

7.1-rc1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/0f3d9dd5e1fd52b39e25328307c6a694e994ffe3

git.kernel.org/...c/26d3339e465e54107bd85884341d1609c5300d6a

git.kernel.org/...c/2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6

git.kernel.org/...c/b4b5a20bed82130da2f2818f04d52378952fbd0b

git.kernel.org/...c/85a2f30e40f7468db732f55659bc6318874f49af

git.kernel.org/...c/32ce55d424395904986f5066f8755f6cb9993377

git.kernel.org/...c/fc39753b7f92e09177777e9c648afe5aa3abb81f

git.kernel.org/...c/5828b9e5b272ecff7cf5d345128d3de7324117f7

cve.org (CVE-2026-45838)

nvd.nist.gov (CVE-2026-45838)

Download JSON