CVE-2026-53111

Source
https://cve.org/CVERecord?id=CVE-2026-53111
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53111.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53111
Downstream
Published
2026-06-24T16:30:44.691Z
Modified
2026-07-08T08:13:43.835473246Z
Summary
bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: testrun: Fix the null pointer dereference issue in bpflwtxmitpush_encap

The bpflwtxmitpushencap helper needs to access skb_dst(skb)->dev to calculate the needed headroom:

err = skb_cow_head(skb,
           len + LL_RESERVED_SPACE(skb_dst(skb)->dev));

But skb->skbrefdst may not be initialized when the skb is set up by bpfprogtestrunskb function. Executing bpflwtpushipencap function in this scenario will trigger null pointer dereference, causing a kernel crash as Yinhao reported:

[ 105.186365] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 105.186382] #PF: supervisor read access in kernel mode [ 105.186388] #PF: errorcode(0x0000) - not-present page [ 105.186393] PGD 121d3d067 P4D 121d3d067 PUD 106c83067 PMD 0 [ 105.186404] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 105.186412] CPU: 3 PID: 3250 Comm: poc Kdump: loaded Not tainted 6.19.0-rc5 #1 [ 105.186423] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 105.186427] RIP: 0010:bpflwtpushipencap+0x1eb/0x520 [ 105.186443] Code: 0f 84 de 01 00 00 0f b7 4a 04 66 85 c9 0f 85 47 01 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8b 73 58 48 83 e6 fe <48> 8b 36 0f b7 be ec 00 00 00 0f b7 b6 e6 00 00 00 01 fe 83 e6 f0 [ 105.186449] RSP: 0018:ffffbb0e0387bc50 EFLAGS: 00010246 [ 105.186455] RAX: 000000000000004e RBX: ffff94c74e036500 RCX: ffff94c74874da00 [ 105.186460] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff94c74e036500 [ 105.186463] RBP: 0000000000000001 R08: 0000000000000002 R09: 0000000000000000 [ 105.186467] R10: ffffbb0e0387bd50 R11: 0000000000000000 R12: ffffbb0e0387bc98 [ 105.186471] R13: 0000000000000014 R14: 0000000000000000 R15: 0000000000000002 [ 105.186484] FS: 00007f166aa4d680(0000) GS:ffff94c8b7780000(0000) knlGS:0000000000000000 [ 105.186490] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 105.186494] CR2: 0000000000000000 CR3: 000000015eade001 CR4: 0000000000770ee0 [ 105.186499] PKRU: 55555554 [ 105.186502] Call Trace: [ 105.186507] <TASK> [ 105.186513] bpflwtxmitpushencap+0x2b/0x40 [ 105.186522] bpfproga75eaad51e517912+0x41/0x49 [ 105.186536] ? kvmclockgetcycles+0x18/0x30 [ 105.186547] ? ktimeget+0x3c/0xa0 [ 105.186554] bpftestrun+0x195/0x320 [ 105.186563] ? bpftestrun+0x10f/0x320 [ 105.186579] bpfprogtestrun_skb+0x2f5/0x4f0 [ 105.186590] __sys_bpf+0x69c/0xa40 [ 105.186603] __x64sysbpf+0x1e/0x30 [ 105.186611] dosyscall64+0x59/0x110 [ 105.186620] entrySYSCALL64afterhwframe+0x76/0xe0 [ 105.186649] RIP: 0033:0x7f166a97455d

Temporarily add the setting of skb->skbrefdst before bpftestrun to resolve the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53111.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
52f278774e796a553be0c869dcaaee6f259ca795
Fixed
5c8d1f91fc4898d79f29d79c1a6f7c2b3ee66fb0
Fixed
c7ad31fb948fdd4905263f4324160682c3fa7bc6
Fixed
599905c3f10bb83e6e6881d5a7f5cea5df07dc23
Fixed
5500913516e071dbe23e5a404c861dd2d82c9589
Fixed
94f95328b9070909b5b875c647b17a11d3d85567
Fixed
972787479ee73006fddb5e59ab5c8e733810ff42

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53111.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.1.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53111.json"