Skip to main content

Linux CVE-2026-23342

| EUVDEUVD-2026-15309 MEDIUM
Race Condition (CWE-362)
2026-03-25 Linux GHSA-c898-7qpg-fw83
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 23, 2026 - 21:27 NVD
4.7 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15309
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix race in cpumap on PREEMPT_RT

On PREEMPT_RT kernels, the per-CPU xdp_bulk_queue (bq) can be accessed concurrently by multiple preemptible tasks on the same CPU.

The original code assumes bq_enqueue() and __cpu_map_flush() run atomically with respect to each other on the same CPU, relying on local_bh_disable() to prevent preemption. However, on PREEMPT_RT, local_bh_disable() only calls migrate_disable() (when PREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable preemption, which allows CFS scheduling to preempt a task during bq_flush_to_queue(), enabling another task on the same CPU to enter bq_enqueue() and operate on the same per-CPU bq concurrently.

This leads to several races:

  1. Double __list_del_clearprev(): after bq->count is reset in

bq_flush_to_queue(), a preempting task can call bq_enqueue() -> bq_flush_to_queue() on the same bq when bq->count reaches CPU_MAP_BULK_SIZE. Both tasks then call __list_del_clearprev() on the same bq->flush_node, the second call dereferences the prev pointer that was already set to NULL by the first.

  1. bq->count and bq->q[] races: concurrent bq_enqueue() can corrupt

the packet queue while bq_flush_to_queue() is processing it.

The race between task A (__cpu_map_flush -> bq_flush_to_queue) and task B (bq_enqueue -> bq_flush_to_queue) on the same CPU:

Task A (xdp_do_flush) Task B (cpu_map_enqueue) ---------------------- ------------------------ bq_flush_to_queue(bq) spin_lock(&q->producer_lock) /* flush bq->q[] to ptr_ring */ bq->count = 0 spin_unlock(&q->producer_lock) bq_enqueue(rcpu, xdpf) <-- CFS preempts Task A --> bq->q[bq->count++] = xdpf /* ... more enqueues until full ... */ bq_flush_to_queue(bq) spin_lock(&q->producer_lock) /* flush to ptr_ring */ spin_unlock(&q->producer_lock) __list_del_clearprev(flush_node) /* sets flush_node.prev = NULL */ <-- Task A resumes --> __list_del_clearprev(flush_node) flush_node.prev->next = ... /* prev is NULL -> kernel oops */

Fix this by adding a local_lock_t to xdp_bulk_queue and acquiring it in bq_enqueue() and __cpu_map_flush(). These paths already run under local_bh_disable(), so use local_lock_nested_bh() which on non-RT is a pure annotation with no overhead, and on PREEMPT_RT provides a per-CPU sleeping lock that serializes access to the bq.

To reproduce, insert an mdelay(100) between bq->count = 0 and __list_del_clearprev() in bq_flush_to_queue(), then run reproducer provided by syzkaller.

AnalysisAI

A race condition exists in the Linux kernel's eBPF CPU map implementation on PREEMPT_RT systems, where concurrent access to per-CPU packet queues can cause memory corruption and kernel crashes. This vulnerability affects Linux kernel versions across multiple branches and can be triggered by tasks running on the same CPU, potentially allowing local denial of service or information disclosure. A proof-of-concept has been made available via syzkaller, and patches have been released through the official Linux kernel stable repositories.

Technical ContextAI

The vulnerability resides in the eBPF subsystem's cpumap implementation, specifically in the interaction between bq_enqueue() and bq_flush_to_queue() functions that manage per-CPU xdp_bulk_queue structures. On PREEMPT_RT kernels, local_bh_disable() does not prevent CFS task preemption in the same way as non-RT kernels; it only calls migrate_disable() when PREEMPT_RT_NEEDS_BH_LOCK is not set. This breaks the original atomicity assumption that allowed safe concurrent manipulation of the bulk queue. The root cause falls under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-416 (Use-After-Free). The affected product, identified via CPE (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), encompasses all Linux kernel versions until patched. The vulnerability manifests as double-free scenarios when __list_del_clearprev() is called on an already-cleaned flush_node, or as data corruption when bq->count and bq->q[] are accessed concurrently by multiple tasks.

RemediationAI

Upgrade the Linux kernel to a patched version containing the commits referenced at https://git.kernel.org/stable/c/7466ae2aeed483de80c5d8dea0913cf74038b652, https://git.kernel.org/stable/c/e67299e1044349ad0088d52c6bc5764cc1816c06, and https://git.kernel.org/stable/c/869c63d5975d55e97f6b168e885452b3da20ea47. The fix adds a local_lock_t to the xdp_bulk_queue structure and uses local_lock_nested_bh() to serialize access in bq_enqueue() and __cpu_map_flush() functions, preventing concurrent manipulation of the queue on PREEMPT_RT systems. Until patching is possible, restrict eBPF program loading to trusted users only via AppArmor or SELinux policies, disable CONFIG_XDP_SOCKETS if not required, and monitor system logs for kernel panics related to list_del operations. For critical systems unable to patch immediately, consider reverting to non-RT kernel variants temporarily if operationally feasible.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23342 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy