CVE-2026-53085

Source
https://cve.org/CVERecord?id=CVE-2026-53085
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53085.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53085
Downstream
Published
2026-06-24T16:30:25.232Z
Modified
2026-07-08T08:07:23.723027557Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
bpf: fix mm lifecycle in open-coded task_vma iterator
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: fix mm lifecycle in open-coded task_vma iterator

The open-coded taskvma iterator reads task->mm locklessly and acquires mmapreadtrylock() but never calls mmget(). If the task exits concurrently, the mmstruct can be freed as it is not SLABTYPESAFEBY_RCU, resulting in a use-after-free.

Safely read task->mm with a trylock on alloclock and acquire an mm reference. Drop the reference via bpfitermmputasync() in destroy() and error paths. bpfitermmputasync() is a local wrapper around mmputasync() with a fallback to mmput() on !CONFIGMMU.

Reject irqs-disabled contexts (including NMI) up front. Operations used by next() and destroy() (mmapreadunlock, bpfitermmputasync) take spinlocks with IRQs disabled (pool->lock, pilock). Running from NMI or from a tracepoint that fires with those locks held could deadlock.

A trylock on alloclock is used instead of the blocking tasklock() (gettaskmm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc_lock on the same CPU.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53085.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4ac4546821584736798aaa9e97da9f6eaf689ea3
Fixed
239cec25a22662dbd80f57d94b38178c8be95269
Fixed
d0862de7c866c5bd7c32531f66738c21197af888
Fixed
43683bb280330f3d36f0f2a3932a4867b9603e9c
Fixed
d8e27d2d22b6e2df3a0125b8c08e9aace38c954c

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53085.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53085.json"