{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23319", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.995Z", "datePublished": "2026-03-25T10:27:13.678Z", "dateUpdated": "2026-05-11T22:04:35.115Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:35.115Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim\n\nThe root cause of this bug is that when 'bpf_link_put' reduces the\nrefcount of 'shim_link->link.link' to zero, the resource is considered\nreleased but may still be referenced via 'tr->progs_hlist' in\n'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in\n'bpf_shim_tramp_link_release' is deferred. During this window, another\nprocess can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'.\n\nBased on Martin KaFai Lau's suggestions, I have created a simple patch.\n\nTo fix this:\n Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'.\n Only increment the refcount if it is not already zero.\n\nTesting:\n I verified the fix by adding a delay in\n 'bpf_shim_tramp_link_release' to make the bug easier to trigger:\n\nstatic void bpf_shim_tramp_link_release(struct bpf_link *link)\n{\n\t/* ... */\n\tif (!shim_link->trampoline)\n\t\treturn;\n\n+\tmsleep(100);\n\tWARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link,\n\t\tshim_link->trampoline, NULL));\n\tbpf_trampoline_put(shim_link->trampoline);\n}\n\nBefore the patch, running a PoC easily reproduced the crash(almost 100%)\nwith a call trace similar to KaiyanM's report.\nAfter the patch, the bug no longer occurs even after millions of\niterations."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/trampoline.c"], "versions": [{"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e", "lessThan": "529e685e522b9d7fb379dbe6929dcdf520e34c8c", "status": "affected", "versionType": "git"}, {"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e", "lessThan": "9b02c5c4147f8af8ed783c8deb5df927a55c3951", "status": "affected", "versionType": "git"}, {"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e", "lessThan": "cfcfa0ca0212162aa472551266038e8fd6768cff", "status": "affected", "versionType": "git"}, {"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e", "lessThan": "3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2", "status": "affected", "versionType": "git"}, {"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e", "lessThan": "4e8a0005d633a4adc98e3b65d5080f93b90d356b", "status": "affected", "versionType": "git"}, {"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e", "lessThan": "56145d237385ca0e7ca9ff7b226aaf2eb8ef368b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/trampoline.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/529e685e522b9d7fb379dbe6929dcdf520e34c8c"}, {"url": "https://git.kernel.org/stable/c/9b02c5c4147f8af8ed783c8deb5df927a55c3951"}, {"url": "https://git.kernel.org/stable/c/cfcfa0ca0212162aa472551266038e8fd6768cff"}, {"url": "https://git.kernel.org/stable/c/3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2"}, {"url": "https://git.kernel.org/stable/c/4e8a0005d633a4adc98e3b65d5080f93b90d356b"}, {"url": "https://git.kernel.org/stable/c/56145d237385ca0e7ca9ff7b226aaf2eb8ef368b"}], "title": "bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "72B24488-A57B-4D9C-A7EA-A6020518455B", "versionEndExcluding": "6.1.167", "versionStartIncluding": "6.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:-:*:*:*:*:*:*", "matchCriteriaId": "7BE551E5-89CF-47A8-9B26-03CE727FBA37", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim\n\nThe root cause of this bug is that when 'bpf_link_put' reduces the\nrefcount of 'shim_link->link.link' to zero, the resource is considered\nreleased but may still be referenced via 'tr->progs_hlist' in\n'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in\n'bpf_shim_tramp_link_release' is deferred. During this window, another\nprocess can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'.\n\nBased on Martin KaFai Lau's suggestions, I have created a simple patch.\n\nTo fix this:\n Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'.\n Only increment the refcount if it is not already zero.\n\nTesting:\n I verified the fix by adding a delay in\n 'bpf_shim_tramp_link_release' to make the bug easier to trigger:\n\nstatic void bpf_shim_tramp_link_release(struct bpf_link *link)\n{\n\t/* ... */\n\tif (!shim_link->trampoline)\n\t\treturn;\n\n+\tmsleep(100);\n\tWARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link,\n\t\tshim_link->trampoline, NULL));\n\tbpf_trampoline_put(shim_link->trampoline);\n}\n\nBefore the patch, running a PoC easily reproduced the crash(almost 100%)\nwith a call trace similar to KaiyanM's report.\nAfter the patch, the bug no longer occurs even after millions of\niterations."}, {"lang": "es", "value": "En el n\u00facleo de Linux, se ha solucionado la siguiente vulnerabilidad: bpf: Correcci\u00f3n de un problema de UAF en bpf_trampoline_link_cgroup_shim. La causa principal de este error es que, cuando \u00abbpf_link_put\u00bb reduce a cero el contador de referencias de \u00abshim_link->link.link\u00bb, el recurso se considera liberado, pero a\u00fan puede ser referenciado a trav\u00e9s de \u00abtr->progs_hlist\u00bb en \u00abcgroup_shim_find\u00bb. La limpieza real de \u00abtr->progs_hlist\u00bb en \u00abbpf_shim_tramp_link_release\u00bb se aplaza. Durante este intervalo, otro proceso puede provocar un uso despu\u00e9s de la liberaci\u00f3n a trav\u00e9s de \u00abbpf_trampoline_link_cgroup_shim\u00bb. Bas\u00e1ndome en las sugerencias de Martin KaFai Lau, he creado un parche sencillo. Para solucionar esto: a\u00f1adir una comprobaci\u00f3n at\u00f3mica de que no sea cero en \u00abbpf_trampoline_link_cgroup_shim\u00bb. Solo incrementar el contador de referencias si a\u00fan no es cero. Pruebas: He verificado la correcci\u00f3n a\u00f1adiendo un retraso en \u00abbpf_shim_tramp_link_release\u00bb para que el error sea m\u00e1s f\u00e1cil de provocar: static void bpf_shim_tramp_link_release(struct bpf_link *link) { /* ... */ if (!shim_link->trampoline) return; + msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link, shim_link->trampoline, NULL)); bpf_trampoline_put(shim_link->trampoline); } Antes del parche, al ejecutar un PoC se reproduc\u00eda f\u00e1cilmente el bloqueo (casi al 100 %) con un seguimiento de llamadas similar al del informe de KaiyanM. Tras el parche, el error ya no se produce ni siquiera tras millones de iteraciones."}], "id": "CVE-2026-23319", "lastModified": "2026-04-23T21:05:38.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:28.570", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4e8a0005d633a4adc98e3b65d5080f93b90d356b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/529e685e522b9d7fb379dbe6929dcdf520e34c8c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/56145d237385ca0e7ca9ff7b226aaf2eb8ef368b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9b02c5c4147f8af8ed783c8deb5df927a55c3951"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cfcfa0ca0212162aa472551266038e8fd6768cff"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim", "id": "2451203", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451203"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's Berkeley Packet Filter (BPF) component. This use-after-free (UAF) vulnerability allows a local user to trigger a condition in the `bpf_trampoline_link_cgroup_shim` function where a resource is freed but still referenced. This can lead to a system crash, resulting in a denial of service, or potentially enable privilege escalation."], "name": "CVE-2026-23319", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23319\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23319\nhttps://lore.kernel.org/linux-cve-announce/2026032530-CVE-2026-23319-1e3d@gregkh/T"], "statement": "This flaw affects systems using BPF with cgroup trampolines. The race condition occurs between bpf_link_put() releasing a shim link and another process looking it up via cgroup_shim_find(). The deferred cleanup of tr->progs_hlist creates a window for use-after-free. Exploitation requires BPF privileges and concurrent operations on cgroup BPF programs.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e,529e685e522b9d7fb379dbe6929dcdf520e34c8c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e,9b02c5c4147f8af8ed783c8deb5df927a55c3951)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e,cfcfa0ca0212162aa472551266038e8fd6768cff)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e,3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e,4e8a0005d633a4adc98e3b65d5080f93b90d356b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e,56145d237385ca0e7ca9ff7b226aaf2eb8ef368b)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T22:10:26.001357+00:00", "value": {"mitigation_remediation": ["Apply a Linux kernel update that incorporates the bpf_trampoline_link_cgroup_shim patch", "Verify the presence of the relevant kernel commit and ensure the kernel is compiled with the fix", "Reboot the system to load the patched kernel", "If an update is not immediately feasible, limit or disable BPF trampoline program usage until the patch is applied"], "summary": {"action": "Immediate Patch", "impact": "Use-After-Free"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the Linux kernel. The affected versions are kernel 6.0 and all 7.0 release candidates from rc1 through rc7. Administrators should verify whether their running kernel includes any of these versions and whether the patch commits that fix the bpf_trampoline_link_cgroup_shim code have been applied; updating to a kernel that contains the referenced patch commits is the recommended approach.", "description_and_impact": "The Linux kernel BPF subsystem suffers a use\u2011after\u2011free condition in the bpf_trampoline_link_cgroup_shim routine. When bpf_link_put drops the reference count of a shim link to zero, the associated trampoline program list is not cleaned up immediately. During that brief window, another process can invoke bpf_trampoline_link_cgroup_shim and access freed memory, potentially causing kernel memory corruption or a crash. The weakness is a use\u2011after\u2011free (CWE\u2011416) and is also noted as CWE\u2011825 in the advisory.", "risk_and_exploitability": "The CVSS v3.1 score of 7.8 indicates high severity, yet the EPSS score is below 1%, implying a low probability of exploitation in the wild. It is inferred from the nature of the use\u2011after\u2011free issue and the requirement to load BPF trampoline programs that the attack vector would be local with elevated privileges or kernel exploitation. No publicly available exploit has been reported and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not occurred."}}}}, "created": "2026-03-25T21:15:10.237218+00:00", "updated": "2026-04-28T22:15:41.368318+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}