In the Linux kernel, the following vulnerability has been resolved:
bpf: fix mm lifecycle in open-coded task_vma iterator
The open-coded taskvma iterator reads task->mm locklessly and acquires mmapreadtrylock() but never calls mmget(). If the task exits concurrently, the mmstruct can be freed as it is not SLABTYPESAFEBY_RCU, resulting in a use-after-free.
Safely read task->mm with a trylock on alloclock and acquire an mm reference. Drop the reference via bpfitermmputasync() in destroy() and error paths. bpfitermmputasync() is a local wrapper around mmputasync() with a fallback to mmput() on !CONFIGMMU.
Reject irqs-disabled contexts (including NMI) up front. Operations used by next() and destroy() (mmapreadunlock, bpfitermmputasync) take spinlocks with IRQs disabled (pool->lock, pilock). Running from NMI or from a tracepoint that fires with those locks held could deadlock.
A trylock on alloclock is used instead of the blocking tasklock() (gettaskmm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc_lock on the same CPU.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53085.json",
"cna_assigner": "Linux"
}