bpf: Do not allow deleting local storage in NMI
Summary
| CVE | CVE-2026-53106 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 17:17:24 UTC |
| Updated | 2026-06-24 17:17:24 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: bpf: Do not allow deleting local storage in NMI Currently, local storage may deadlock when deferring freeing selem or local storage through kfree_rcu(), call_rcu() or call_rcu_tasks_trace() in NMI or reentrant. Since deleting selem in NMI is an unlikely use case, partially mitigate it by returning error when calling from bpf_xxx_storage_delete() helpers in NMI. Note that, it is still possible to deadlock through reentrant. A full mitigation requires returning error when irqs_disabled() is true, which, however is too heavy-handed for bpf_xxx_storage_delete(). The long-term solution requires _nolock versions of call_rcu. Another possible solution is to defer the free through irq_work [0], but it would grow the size of selem, which is non-ideal. The check is only needed in bpf_selem_unlink(), which is used by helpers and syscalls. bpf_selem_unlink_nofail() is fine as it is called during map and owner tear down that never run in NMI or reentrant. [0] https://lore.kernel.org/bpf/[email protected]/ |
Risk And Classification
EPSS: 0.001450000 probability, percentile 0.041660000 (date 2026-06-29)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected a10787e6d58c24b51e91c19c6d16c5da89fcaa4b e84acaf936970b5b0be2c93bbf255295ba9406df git | Not specified |
| CNA | Linux | Linux | affected a10787e6d58c24b51e91c19c6d16c5da89fcaa4b 350de5b8a9befaa2a68861c51f671d4f5f751ca5 git | Not specified |
| CNA | Linux | Linux | affected 5.13 | Not specified |
| CNA | Linux | Linux | unaffected 5.13 semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.10 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/350de5b8a9befaa2a68861c51f671d4f5f751ca5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/e84acaf936970b5b0be2c93bbf255295ba9406df | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.