Skip to main content

Linux Kernel CVE-2026-45837

| EUVDEUVD-2026-32163 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5vq6-7cj2-4m9j
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local-only bug (AV:L) reachable without user interaction by a process with BPF privileges (PR:L); a kernel UAF plausibly yields full memory disclosure, corruption, and crash, so C/I/A:H.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
6.7 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Red Hat
6.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 19:23 vuln.today
CVSS changed
Jun 26, 2026 - 19:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 11:16 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 11:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix use-after-free in arena_vm_close on fork

arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.

Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.

Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:

check_prep_vma() - returns 0 early: new_len old_len skips VM_DONTEXPAND check prep_move_vma() - vm_start old_addr and vm_end == old_addr + old_len so may_split is never called move_vma() copy_vma_and_data() copy_vma() vm_area_dup() - copies vm_private_data (vml pointer) vm_ops->open() - bumps vml->mmap_count vm_ops->mremap() - returns -EINVAL, rollback unmaps new VMA

The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.

AnalysisAI

Local privilege-escalation-class memory corruption in the Linux kernel's BPF arena subsystem (introduced around 6.9) allows a process holding BPF capabilities to trigger a use-after-free. When a BPF arena VMA is inherited across fork(), arena_vm_open() bumps the mmap refcount but never registers the child VMA in arena->vma_list, leaving vml->vma pointing at the parent VMA; after the parent munmaps, a child call to bpf_arena_free_pages() dereferences the dangling pointer in zap_pages(). No public exploit or active exploitation is identified (EPSS 0.02%, 5th percentile), and vendor patches are available.

Technical ContextAI

The flaw lives in the BPF arena map type (kernel/bpf/arena.c), a shared user/kernel memory region exposed to BPF programs and userspace via mmap. The arena tracks its mappings through a vma_list and a per-mapping vml structure carrying an mmap_count refcount and a vml->vma back-pointer. The vm_ops->open callback (arena_vm_open) is invoked when a VMA is duplicated - notably during fork's copy of the address space - but it only incremented the refcount without inserting the new child VMA into arena->vma_list, so vml->vma kept referencing the original parent VMA. This is a classic CWE-416 use-after-free: once the parent VMA is torn down by munmap, any subsequent operation that walks the stale pointer (here zap_pages() invoked from bpf_arena_free_pages()) reads freed memory. The fix marks the arena VMA VM_DONTCOPY so it is not inherited across fork, adds a may_split callback to block VMA splits, and adds an mremap callback returning -EINVAL to close a same-size mremap(MREMAP_FIXED) path that reached copy_vma() and duplicated vm_private_data. The affected CPE is cpe:2.3:o:linux:linux_kernel across the indicated version ranges.

RemediationAI

Vendor-released patch: update to a fixed stable kernel - 6.12.88, 6.18.30, 7.0.7, or mainline 7.1-rc1 (or your distribution's backported equivalent referencing the upstream commits 201128fcc7b2 / 4fddde2a732d / 723b9fa930cc / d18099f19e53 at git.kernel.org). Where immediate patching is not possible, reduce exposure by restricting who can create BPF arena maps: ensure unprivileged BPF is disabled (sysctl kernel.unprivileged_bpf_disabled=1 or =2), which prevents non-root users from loading the BPF programs needed to reach the arena code path - the trade-off is that legitimate unprivileged BPF workloads (some observability/sandboxing tools) will break. Tightening CAP_BPF/CAP_SYS_ADMIN grants to containers and service accounts is an effective compensating control with minimal side effects for most deployments. Track the advisory at https://vuldb.com/vuln/366053.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-45837 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy