7.8

CVE-2026-53094

bpf: Fix stale offload->prog pointer after constant blinding

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix stale offload->prog pointer after constant blinding

When a dev-bound-only BPF program (BPF_F_XDP_DEV_BOUND_ONLY) undergoes
JIT compilation with constant blinding enabled (bpf_jit_harden >= 2),
bpf_jit_blind_constants() clones the program. The original prog is then
freed in bpf_jit_prog_release_other(), which updates aux->prog to point
to the surviving clone, but fails to update offload->prog.

This leaves offload->prog pointing to the freed original program. When
the network namespace is subsequently destroyed, cleanup_net() triggers
bpf_dev_bound_netdev_unregister(), which iterates ondev->progs and calls
__bpf_prog_offload_destroy(offload->prog). Accessing the freed prog
causes a page fault:

BUG: unable to handle page fault for address: ffffc900085f1038
Workqueue: netns cleanup_net
RIP: 0010:__bpf_prog_offload_destroy+0xc/0x80
Call Trace:
__bpf_offload_dev_netdev_unregister+0x257/0x350
bpf_dev_bound_netdev_unregister+0x4a/0x90
unregister_netdevice_many_notify+0x2a2/0x660
...
cleanup_net+0x21a/0x320

The test sequence that triggers this reliably is:

1. Set net.core.bpf_jit_harden=2 (echo 2 > /proc/sys/net/core/bpf_jit_harden)
2. Run xdp_metadata selftest, which creates a dev-bound-only XDP
   program on a veth inside a netns (./test_progs -t xdp_metadata)
3. cleanup_net -> page fault in __bpf_prog_offload_destroy

Dev-bound-only programs are unique in that they have an offload structure
but go through the normal JIT path instead of bpf_prog_offload_compile().
This means they are subject to constant blinding's prog clone-and-replace,
while also having offload->prog that must stay in sync.

Fix this by updating offload->prog in bpf_jit_prog_release_other(),
alongside the existing aux->prog update. Both are back-pointers to
the prog that must be kept in sync when the prog is replaced.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version 2b3486bc2d237ec345b3942b7be5deabf8c8fed1
Version < a713b72ff88cdab4d5d692908ab1259ada511f4d
Status affected
Version 2b3486bc2d237ec345b3942b7be5deabf8c8fed1
Version < 25484c39d1ec82a0368798d956da3de5039b3fe8
Status affected
Version 2b3486bc2d237ec345b3942b7be5deabf8c8fed1
Version < 059525cf18e69a9313baf947d8898c6ee7ca6b65
Status affected
Version 2b3486bc2d237ec345b3942b7be5deabf8c8fed1
Version < c79f8503d83d4665be461fb9e45e215d0380c67b
Status affected
Version 2b3486bc2d237ec345b3942b7be5deabf8c8fed1
Version < a1aa9ef47c299c5bbc30594d3c2f0589edf908e6
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 6.3
Status affected
Version 0
Version < 6.3
Status unaffected
Version <= 6.6.*
Version 6.6.141
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.029
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/a713b72ff88cdab4d5d692908ab1259ada511f4d
https://git.kernel.org/stable/c/25484c39d1ec82a0368798d956da3de5039b3fe8
https://git.kernel.org/stable/c/059525cf18e69a9313baf947d8898c6ee7ca6b65
https://git.kernel.org/stable/c/c79f8503d83d4665be461fb9e45e215d0380c67b
https://git.kernel.org/stable/c/a1aa9ef47c299c5bbc30594d3c2f0589edf908e6