In the Linux kernel, the following vulnerability has been resolved:
bpf: Use RCU-safe iteration in devmapredirect_multi() SKB path
The DEVMAPHASH branch in devmapredirectmulti() uses hlistforeachentrysafe() to iterate hash buckets, but this function runs under RCU protection (called from xdpdogenericredirectmap() in softirq context). Concurrent writers (_devmaphashupdateelem, devmaphashdeleteelem) modify the list using RCU primitives (hlistaddheadrcu, hlistdelrcu).
hlistforeachentrysafe() performs plain pointer dereferences without rcudereference(), missing the acquire barrier needed to pair with writers' rcuassignpointer(). On weakly-ordered architectures (ARM64, POWER), a reader can observe a partially-constructed node. It also defeats CONFIGPROVE_RCU lockdep validation and KCSAN data-race detection.
Replace with hlistforeachentryrcu() using rcureadlockbhheld() as the lockdep condition, consistent with the rcudereferencecheck() used in the DEVMAP (non-hash) branch of the same functions. Also fix the same incorrect lockdepisheld(&dtab->indexlock) condition in devmapenqueuemulti(), where the lock is not held either.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53096.json",
"cna_assigner": "Linux"
}