CVE-2026-53094

Source
https://cve.org/CVERecord?id=CVE-2026-53094
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53094.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53094
Downstream
Published
2026-06-24T16:30:32.815Z
Modified
2026-07-15T01:48:51.260309865Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
bpf: Fix stale offload->prog pointer after constant blinding
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix stale offload->prog pointer after constant blinding

When a dev-bound-only BPF program (BPFFXDPDEVBOUNDONLY) undergoes JIT compilation with constant blinding enabled (bpfjitharden >= 2), bpfjitblindconstants() clones the program. The original prog is then freed in bpfjitprogreleaseother(), which updates aux->prog to point to the surviving clone, but fails to update offload->prog.

This leaves offload->prog pointing to the freed original program. When the network namespace is subsequently destroyed, cleanupnet() triggers bpfdevboundnetdev_unregister(), which iterates ondev->progs and calls _bpfprogoffloaddestroy(offload->prog). Accessing the freed prog causes a page fault:

BUG: unable to handle page fault for address: ffffc900085f1038 Workqueue: netns cleanup_net RIP: 0010:__bpfprogoffload_destroy+0xc/0x80 Call Trace: __bpfoffloaddevnetdevunregister+0x257/0x350 bpfdevboundnetdevunregister+0x4a/0x90 unregisternetdevicemanynotify+0x2a2/0x660 ... cleanupnet+0x21a/0x320

The test sequence that triggers this reliably is:

  1. Set net.core.bpfjitharden=2 (echo 2 > /proc/sys/net/core/bpfjitharden)
  2. Run xdpmetadata selftest, which creates a dev-bound-only XDP program on a veth inside a netns (./testprogs -t xdp_metadata)
  3. cleanup_net -> page fault in _bpfprogoffloaddestroy

Dev-bound-only programs are unique in that they have an offload structure but go through the normal JIT path instead of bpfprogoffload_compile(). This means they are subject to constant blinding's prog clone-and-replace, while also having offload->prog that must stay in sync.

Fix this by updating offload->prog in bpfjitprogreleaseother(), alongside the existing aux->prog update. Both are back-pointers to the prog that must be kept in sync when the prog is replaced.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53094.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2b3486bc2d237ec345b3942b7be5deabf8c8fed1
Fixed
a713b72ff88cdab4d5d692908ab1259ada511f4d
Fixed
25484c39d1ec82a0368798d956da3de5039b3fe8
Fixed
059525cf18e69a9313baf947d8898c6ee7ca6b65
Fixed
c79f8503d83d4665be461fb9e45e215d0380c67b
Fixed
a1aa9ef47c299c5bbc30594d3c2f0589edf908e6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53094.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.3.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53094.json"