CVE-2026-53089

Source
https://cve.org/CVERecord?id=CVE-2026-53089
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53089.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53089
Downstream
Published
2026-06-24T16:30:28.531Z
Modified
2026-07-08T08:09:44.722959404Z
Summary
bpf: Fix use-after-free in offloaded map/prog info fill
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix use-after-free in offloaded map/prog info fill

When querying info for an offloaded BPF map or program, bpfmapoffloadinfofillns() and bpfprogoffloadinfofillns() obtain the network namespace with getnet(devnet(offmap->netdev)). However, the associated netdev's netns may be racing with teardown during netns destruction. If the netns refcount has already reached 0, getnet() performs a refcountt increment on 0, triggering:

refcount_t: addition on 0; use-after-free.

Although rtnllock and bpfdevs_lock ensure the netdev pointer remains valid, they cannot prevent the netns refcount from reaching zero.

Fix this by using maybegetnet() instead of getnet(). maybegetnet() uses refcountincnotzero() and returns NULL if the refcount is already zero, which causes nsgetpath_cb() to fail and the caller to return -ENOENT -- the correct behavior when the netns is being destroyed.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53089.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
675fc275a3a2d905535207237402c6d8dcb5fa4b
Fixed
a51e7fbe94a87e236631a83973d4f558310b2cd2
Fixed
a0c584fc18056709c8e047a82a6045d6c209f4ce

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53089.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.16.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53089.json"