In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix use-after-free in offloaded map/prog info fill
When querying info for an offloaded BPF map or program, bpfmapoffloadinfofillns() and bpfprogoffloadinfofillns() obtain the network namespace with getnet(devnet(offmap->netdev)). However, the associated netdev's netns may be racing with teardown during netns destruction. If the netns refcount has already reached 0, getnet() performs a refcountt increment on 0, triggering:
refcount_t: addition on 0; use-after-free.
Although rtnllock and bpfdevs_lock ensure the netdev pointer remains valid, they cannot prevent the netns refcount from reaching zero.
Fix this by using maybegetnet() instead of getnet(). maybegetnet() uses refcountincnotzero() and returns NULL if the refcount is already zero, which causes nsgetpath_cb() to fail and the caller to return -ENOENT -- the correct behavior when the netns is being destroyed.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53089.json",
"cna_assigner": "Linux"
}