7.8

CVE-2026-53085

bpf: fix mm lifecycle in open-coded task_vma iterator

In the Linux kernel, the following vulnerability has been resolved:

bpf: fix mm lifecycle in open-coded task_vma iterator

The open-coded task_vma iterator reads task->mm locklessly and acquires
mmap_read_trylock() but never calls mmget(). If the task exits
concurrently, the mm_struct can be freed as it is not
SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free.

Safely read task->mm with a trylock on alloc_lock and acquire an mm
reference. Drop the reference via bpf_iter_mmput_async() in _destroy()
and error paths. bpf_iter_mmput_async() is a local wrapper around
mmput_async() with a fallback to mmput() on !CONFIG_MMU.

Reject irqs-disabled contexts (including NMI) up front. Operations used
by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async)
take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from
NMI or from a tracepoint that fires with those locks held could
deadlock.

A trylock on alloc_lock is used instead of the blocking task_lock()
(get_task_mm) to avoid a deadlock when a softirq BPF program iterates
a task that already holds its alloc_lock on the same CPU.
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 10
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 9
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 6
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 7
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 8
Default Statusunaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.11% 0.017
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 6.4 0.5 5.9
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-825 Expired Pointer Dereference

The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.

https://git.kernel.org/stable/c/239cec25a22662dbd80f57d94b38178c8be95269
https://git.kernel.org/stable/c/d0862de7c866c5bd7c32531f66738c21197af888
https://git.kernel.org/stable/c/43683bb280330f3d36f0f2a3932a4867b9603e9c
https://git.kernel.org/stable/c/d8e27d2d22b6e2df3a0125b8c08e9aace38c954c
https://access.redhat.com/security/cve/CVE-2026-53085
https://bugzilla.redhat.com/show_bug.cgi?id=2492404
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53085.json