Skip to main content

Linux Kernel CVE-2026-45838

| EUVDEUVD-2026-32164 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-x78h-gf69-p5j6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.1 MEDIUM

Local BPF syscall access requires low privilege (PR:L); C:L added because the description confirms bogus kernel internal data is explicitly copied to userspace, a confidentiality impact absent from the vendor CVSS.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 19:28 vuln.today
CVSS changed
Jun 26, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 11:16 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 11:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

bpf: fix end-of-list detection in cgroup_storage_get_next_key()

list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.

Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.

AnalysisAI

Incorrect end-of-list detection in the Linux kernel's BPF cgroup storage map subsystem allows a local low-privileged user with BPF syscall access to trigger a kernel crash (denial of service) via the cgroup_storage_get_next_key() function. The function uses list_next_entry(), which never returns NULL but wraps to the list head on the last element, causing the kernel to read storage->key from a bogus pointer aliasing internal map fields and copy the result to userspace - a condition that can provoke a kernel oops or panic. No public exploit exists and EPSS is 0.02% (5th percentile), consistent with the local-only attack surface and absence of CISA KEV listing.

Technical ContextAI

The vulnerability resides in the BPF (Berkeley Packet Filter) cgroup storage map implementation within the Linux kernel, specifically the cgroup_storage_get_next_key() function used to iterate BPF map entries via the bpf_map_get_next_key() syscall. The root cause (CWE-476, Null Pointer Dereference, though the mechanism is more precisely a list-traversal logic error) is that list_next_entry() uses container_of() internally and never returns NULL; when the current element is the last in a linked list, it wraps around to the embedded list head structure rather than signaling termination. The subsequent NULL check is therefore permanently dead code. On the final map entry, the function dereferences a pointer that actually overlaps internal kernel map fields (the list head embedded in the map structure), reads storage->key from this invalid memory region, and copies the data to userspace. The fix replaces the NULL check with list_entry_is_head(), which correctly detects list termination. CPE data confirms the affected product as cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* across multiple stable release branches, all sharing the introducing commit de9cbbaadba5adf88a19e46df61f7054000838f6.

RemediationAI

Apply the vendor-released kernel patch for the applicable stable branch: upgrade to Linux 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1-rc1 or later. Fix commits are published at git.kernel.org/stable and referenced by NVD. Distribution-specific backported packages from RHEL, Ubuntu, SUSE, and Debian should be monitored and applied via normal package management. As a compensating control prior to patching, set kernel.unprivileged_bpf_disabled=1 via sysctl (or persist in /etc/sysctl.d/) to restrict BPF syscall access to privileged users only - this prevents unprivileged local users from invoking BPF map operations but does not block CAP_BPF or CAP_SYS_ADMIN holders. This control has minimal operational impact on most server workloads but may affect containers or observability agents (e.g., eBPF-based monitoring tools like Cilium, Falco, or bcc) that rely on unprivileged BPF access, so test before deploying broadly. Additionally, limit local user accounts and enforce least-privilege access to reduce the pool of users who could trigger the condition.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-45838 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy