CVE-2026-52938

Source
https://cve.org/CVERecord?id=CVE-2026-52938
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52938.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52938
Downstream
Published
2026-06-24T07:14:27.952Z
Modified
2026-07-10T03:53:52.139251705Z
Summary
bpf: Fix NULL pointer dereference in bpf_sk_storage_clone and diag paths
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix NULL pointer dereference in bpfskstorage_clone and diag paths

bpfselemunlinknofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist. A concurrent RCU reader in bpfskstorageclone() can observe the selem still on the list with smap already NULL, causing a NULL pointer dereference.

general protection fault, probably for non-canonical address 0xdffffc000000000a: KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057] RIP: 0010:bpfskstorageclone+0x1cd/0xaa0 net/core/bpfskstorage.c:174 Call Trace: <IRQ> skclone+0xfed/0x1980 net/core/sock.c:2591 inetcskclonelock+0x30/0x760 net/ipv4/inetconnectionsock.c:1222 tcpcreateopenreqchild+0x35/0x2680 net/ipv4/tcpminisocks.c:571 tcpv4synrecvsock+0x123/0xf90 net/ipv4/tcpipv4.c:1729 tcpcheckreq+0x8e1/0x2580 include/net/tcp.h:855 tcpv4rcv+0x1845/0x3b80 net/ipv4/tcp_ipv4.c:2347

Add a NULL check for smap in bpfskstorage_clone().

bpfskstoragediagputall() has the same issue. Add a NULL check and pass the validated smap directly to diagget(), which is refactored to take smap as a parameter instead of reading it internally.

bpfskstoragediagput() uses diag->maps[i] which is always valid under its refcount, so diag->maps[i] is passed directly to diag_get().

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52938.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5d800f87d0a5ea1b156c47a4b9fd128479335153
Fixed
16af24fea29c209dea53595c99f6da9398548e1b
Fixed
375e4e33c18dfa05c5dfd5f3dfffeb29343dd4c7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52938.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.14

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52938.json"