{"api_version":"1","generated_at":"2026-07-09T20:28:30+00:00","cve":"CVE-2026-53089","urls":{"html":"https://cve.report/CVE-2026-53089","api":"https://cve.report/api/cve/CVE-2026-53089.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53089","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53089"},"summary":{"title":"bpf: Fix use-after-free in offloaded map/prog info fill","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix use-after-free in offloaded map/prog info fill\n\nWhen querying info for an offloaded BPF map or program,\nbpf_map_offload_info_fill_ns() and bpf_prog_offload_info_fill_ns()\nobtain the network namespace with get_net(dev_net(offmap->netdev)).\nHowever, the associated netdev's netns may be racing with teardown\nduring netns destruction. If the netns refcount has already reached 0,\nget_net() performs a refcount_t increment on 0, triggering:\n\n  refcount_t: addition on 0; use-after-free.\n\nAlthough rtnl_lock and bpf_devs_lock ensure the netdev pointer remains\nvalid, they cannot prevent the netns refcount from reaching zero.\n\nFix this by using maybe_get_net() instead of get_net(). maybe_get_net()\nuses refcount_inc_not_zero() and returns NULL if the refcount is already\nzero, which causes ns_get_path_cb() to fail and the caller to return\n-ENOENT -- the correct behavior when the netns is being destroyed.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-24 17:17:23","updated_at":"2026-06-24 17:17:23"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/a51e7fbe94a87e236631a83973d4f558310b2cd2","name":"https://git.kernel.org/stable/c/a51e7fbe94a87e236631a83973d4f558310b2cd2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a0c584fc18056709c8e047a82a6045d6c209f4ce","name":"https://git.kernel.org/stable/c/a0c584fc18056709c8e047a82a6045d6c209f4ce","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53089","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53089","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 675fc275a3a2d905535207237402c6d8dcb5fa4b a51e7fbe94a87e236631a83973d4f558310b2cd2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 675fc275a3a2d905535207237402c6d8dcb5fa4b a0c584fc18056709c8e047a82a6045d6c209f4ce git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.16","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.16 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.10 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"53089","cve":"CVE-2026-53089","epss":"0.001450000","percentile":"0.041030000","score_date":"2026-06-29","updated_at":"2026-06-30 00:06:55"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["kernel/bpf/offload.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"a51e7fbe94a87e236631a83973d4f558310b2cd2","status":"affected","version":"675fc275a3a2d905535207237402c6d8dcb5fa4b","versionType":"git"},{"lessThan":"a0c584fc18056709c8e047a82a6045d6c209f4ce","status":"affected","version":"675fc275a3a2d905535207237402c6d8dcb5fa4b","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["kernel/bpf/offload.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.16"},{"lessThan":"4.16","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.10","versionStartIncluding":"4.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"4.16","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix use-after-free in offloaded map/prog info fill\n\nWhen querying info for an offloaded BPF map or program,\nbpf_map_offload_info_fill_ns() and bpf_prog_offload_info_fill_ns()\nobtain the network namespace with get_net(dev_net(offmap->netdev)).\nHowever, the associated netdev's netns may be racing with teardown\nduring netns destruction. If the netns refcount has already reached 0,\nget_net() performs a refcount_t increment on 0, triggering:\n\n  refcount_t: addition on 0; use-after-free.\n\nAlthough rtnl_lock and bpf_devs_lock ensure the netdev pointer remains\nvalid, they cannot prevent the netns refcount from reaching zero.\n\nFix this by using maybe_get_net() instead of get_net(). maybe_get_net()\nuses refcount_inc_not_zero() and returns NULL if the refcount is already\nzero, which causes ns_get_path_cb() to fail and the caller to return\n-ENOENT -- the correct behavior when the netns is being destroyed."}],"providerMetadata":{"dateUpdated":"2026-06-24T16:30:28.531Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/a51e7fbe94a87e236631a83973d4f558310b2cd2"},{"url":"https://git.kernel.org/stable/c/a0c584fc18056709c8e047a82a6045d6c209f4ce"}],"title":"bpf: Fix use-after-free in offloaded map/prog info fill","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53089","datePublished":"2026-06-24T16:30:28.531Z","dateReserved":"2026-06-09T07:44:35.384Z","dateUpdated":"2026-06-24T16:30:28.531Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 17:17:23","lastModifiedDate":"2026-06-24 17:17:23","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53089","Ordinal":"1","Title":"bpf: Fix use-after-free in offloaded map/prog info fill","CVE":"CVE-2026-53089","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53089","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix use-after-free in offloaded map/prog info fill\n\nWhen querying info for an offloaded BPF map or program,\nbpf_map_offload_info_fill_ns() and bpf_prog_offload_info_fill_ns()\nobtain the network namespace with get_net(dev_net(offmap->netdev)).\nHowever, the associated netdev's netns may be racing with teardown\nduring netns destruction. If the netns refcount has already reached 0,\nget_net() performs a refcount_t increment on 0, triggering:\n\n  refcount_t: addition on 0; use-after-free.\n\nAlthough rtnl_lock and bpf_devs_lock ensure the netdev pointer remains\nvalid, they cannot prevent the netns refcount from reaching zero.\n\nFix this by using maybe_get_net() instead of get_net(). maybe_get_net()\nuses refcount_inc_not_zero() and returns NULL if the refcount is already\nzero, which causes ns_get_path_cb() to fail and the caller to return\n-ENOENT -- the correct behavior when the netns is being destroyed.","Type":"Description","Title":"bpf: Fix use-after-free in offloaded map/prog info fill"}]}}}