In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix NULL pointer dereference in bpfskstorage_clone and diag paths
bpfselemunlinknofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist. A concurrent RCU reader in bpfskstorageclone() can observe the selem still on the list with smap already NULL, causing a NULL pointer dereference.
general protection fault, probably for non-canonical address 0xdffffc000000000a: KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057] RIP: 0010:bpfskstorageclone+0x1cd/0xaa0 net/core/bpfskstorage.c:174 Call Trace: <IRQ> skclone+0xfed/0x1980 net/core/sock.c:2591 inetcskclonelock+0x30/0x760 net/ipv4/inetconnectionsock.c:1222 tcpcreateopenreqchild+0x35/0x2680 net/ipv4/tcpminisocks.c:571 tcpv4synrecvsock+0x123/0xf90 net/ipv4/tcpipv4.c:1729 tcpcheckreq+0x8e1/0x2580 include/net/tcp.h:855 tcpv4rcv+0x1845/0x3b80 net/ipv4/tcp_ipv4.c:2347
Add a NULL check for smap in bpfskstorage_clone().
bpfskstoragediagputall() has the same issue. Add a NULL check and pass the validated smap directly to diagget(), which is refactored to take smap as a parameter instead of reading it internally.
bpfskstoragediagput() uses diag->maps[i] which is always valid under its refcount, so diag->maps[i] is passed directly to diag_get().
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52938.json",
"cna_assigner": "Linux"
}