In the Linux kernel, the following vulnerability has been resolved:
bpf: Do not allow deleting local storage in NMI
Currently, local storage may deadlock when deferring freeing selem or local storage through kfreercu(), callrcu() or callrcutaskstrace() in NMI or reentrant. Since deleting selem in NMI is an unlikely use case, partially mitigate it by returning error when calling from bpfxxxstoragedelete() helpers in NMI. Note that, it is still possible to deadlock through reentrant. A full mitigation requires returning error when irqsdisabled() is true, which, however is too heavy-handed for bpfxxxstoragedelete().
The long-term solution requires nolock versions of callrcu. Another possible solution is to defer the free through irq_work [0], but it would grow the size of selem, which is non-ideal.
The check is only needed in bpfselemunlink(), which is used by helpers and syscalls. bpfselemunlink_nofail() is fine as it is called during map and owner tear down that never run in NMI or reentrant.
[0] https://lore.kernel.org/bpf/20260205190233.912-1-alexei.starovoitov@gmail.com/
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53106.json",
"cna_assigner": "Linux"
}