CVE-2026-53096

Source
https://cve.org/CVERecord?id=CVE-2026-53096
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53096.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53096
Downstream
Published
2026-06-24T16:30:34.477Z
Modified
2026-07-08T08:09:45.263914587Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Use RCU-safe iteration in devmapredirect_multi() SKB path

The DEVMAPHASH branch in devmapredirectmulti() uses hlistforeachentrysafe() to iterate hash buckets, but this function runs under RCU protection (called from xdpdogenericredirectmap() in softirq context). Concurrent writers (_devmaphashupdateelem, devmaphashdeleteelem) modify the list using RCU primitives (hlistaddheadrcu, hlistdelrcu).

hlistforeachentrysafe() performs plain pointer dereferences without rcudereference(), missing the acquire barrier needed to pair with writers' rcuassignpointer(). On weakly-ordered architectures (ARM64, POWER), a reader can observe a partially-constructed node. It also defeats CONFIGPROVE_RCU lockdep validation and KCSAN data-race detection.

Replace with hlistforeachentryrcu() using rcureadlockbhheld() as the lockdep condition, consistent with the rcudereferencecheck() used in the DEVMAP (non-hash) branch of the same functions. Also fix the same incorrect lockdepisheld(&dtab->indexlock) condition in devmapenqueuemulti(), where the lock is not held either.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53096.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e624d4ed4aa8cc3c69d1359b0aaea539203ed266
Fixed
4a3d0fe30b907ff324b1b49756f7e713d67f3645
Fixed
b089aa6e94d7a08e74d076a0fe274842dc9feccc
Fixed
571a05ea1baaccc0dc1e0d227b2cbc978b96d392
Fixed
cb2c1f3cf65b855548e1b8d55a08bfbaa5a0901a
Fixed
d4c4bd231ebad70e6f30db429e9640bf378b2f52
Fixed
7027e705062482a8cea43a1c13ede3c35653966f
Fixed
8ed82f807bb09d2c8455aaa665f2c6cb17bc6a19

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53096.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.14.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53096.json"