bpf: Fix use-after-free in offloaded map/prog info fill
Summary
| CVE | CVE-2026-53089 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 17:17:23 UTC |
| Updated | 2026-06-24 17:17:23 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in offloaded map/prog info fill When querying info for an offloaded BPF map or program, bpf_map_offload_info_fill_ns() and bpf_prog_offload_info_fill_ns() obtain the network namespace with get_net(dev_net(offmap->netdev)). However, the associated netdev's netns may be racing with teardown during netns destruction. If the netns refcount has already reached 0, get_net() performs a refcount_t increment on 0, triggering: refcount_t: addition on 0; use-after-free. Although rtnl_lock and bpf_devs_lock ensure the netdev pointer remains valid, they cannot prevent the netns refcount from reaching zero. Fix this by using maybe_get_net() instead of get_net(). maybe_get_net() uses refcount_inc_not_zero() and returns NULL if the refcount is already zero, which causes ns_get_path_cb() to fail and the caller to return -ENOENT -- the correct behavior when the netns is being destroyed. |
Risk And Classification
EPSS: 0.001450000 probability, percentile 0.041030000 (date 2026-06-29)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 675fc275a3a2d905535207237402c6d8dcb5fa4b a51e7fbe94a87e236631a83973d4f558310b2cd2 git | Not specified |
| CNA | Linux | Linux | affected 675fc275a3a2d905535207237402c6d8dcb5fa4b a0c584fc18056709c8e047a82a6045d6c209f4ce git | Not specified |
| CNA | Linux | Linux | affected 4.16 | Not specified |
| CNA | Linux | Linux | unaffected 4.16 semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.10 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/a51e7fbe94a87e236631a83973d4f558310b2cd2 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/a0c584fc18056709c8e047a82a6045d6c209f4ce | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.