Skip to main content

Linux Kernel CVE-2026-52938

| EUVDEUVD-2026-38708 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-24 Linux GHSA-vgrc-x22q-wc53
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires precise timing between concurrent selem unlink and RCU reader paths, warranting AC:H; local BPF loading capability needed, so AV:L and PR:L; impact is DoS only.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 22:03 vuln.today
CVSS changed
Jul 08, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 nvd
MEDIUM 5.5
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix NULL pointer dereference in bpf_sk_storage_clone and diag paths

bpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist. A concurrent RCU reader in bpf_sk_storage_clone() can observe the selem still on the list with smap already NULL, causing a NULL pointer dereference.

general protection fault, probably for non-canonical address 0xdffffc000000000a: KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057] RIP: 0010:bpf_sk_storage_clone+0x1cd/0xaa0 net/core/bpf_sk_storage.c:174 Call Trace: <IRQ> sk_clone+0xfed/0x1980 net/core/sock.c:2591 inet_csk_clone_lock+0x30/0x760 net/ipv4/inet_connection_sock.c:1222 tcp_create_openreq_child+0x35/0x2680 net/ipv4/tcp_minisocks.c:571 tcp_v4_syn_recv_sock+0x123/0xf90 net/ipv4/tcp_ipv4.c:1729 tcp_check_req+0x8e1/0x2580 include/net/tcp.h:855 tcp_v4_rcv+0x1845/0x3b80 net/ipv4/tcp_ipv4.c:2347

Add a NULL check for smap in bpf_sk_storage_clone().

bpf_sk_storage_diag_put_all() has the same issue. Add a NULL check and pass the validated smap directly to diag_get(), which is refactored to take smap as a parameter instead of reading it internally.

bpf_sk_storage_diag_put() uses diag->maps[i] which is always valid under its refcount, so diag->maps[i] is passed directly to diag_get().

AnalysisAI

NULL pointer dereference in the Linux kernel's BPF socket storage subsystem (net/core/bpf_sk_storage.c) allows a local low-privileged user to crash the kernel. The race condition between bpf_selem_unlink_nofail() - which nulls smap before removing the element from the hlist - and concurrent RCU readers in bpf_sk_storage_clone() and bpf_sk_storage_diag_put_all() can be triggered during TCP SYN handling (socket cloning path), producing a kernel panic. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Load BPF program with sk_storage map
Delivery
Attach storage element to active TCP socket
Exploit
Initiate concurrent selem unlink (smap set to NULL)
Install
Trigger TCP SYN to invoke socket clone path
C2
bpf_sk_storage_clone reads selem still on hlist with NULL smap
Execute
NULL pointer dereference
Impact
Kernel panic (denial of service)

Vulnerability AssessmentAI

Exploitation Exploitation requires the following specific conditions: (1) the target system must have BPF socket storage in use - a BPF program must have previously called bpf_sk_storage_get() to attach a storage element to a socket; (2) the attacker must have the ability to load BPF programs, which on default Linux configurations requires either root/CAP_BPF or kernel.unprivileged_bpf_disabled=0 (the permissive default on many distributions); (3) the race window requires concurrent execution of bpf_selem_unlink_nofail() and bpf_sk_storage_clone() or bpf_sk_storage_diag_put_all() - the latter is reachable via TCP SYN handling during socket cloning. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low-to-moderate for the vast majority of deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with low privileges (or CAP_BPF) on a system with unprivileged BPF enabled creates a BPF socket storage map and attaches a storage element to an active TCP socket. A concurrent thread or network event triggers socket cloning via an inbound TCP SYN (exercising tcp_v4_syn_recv_sock → bpf_sk_storage_clone), racing with the selem unlink that has already nulled smap but not yet removed the element from the hlist. …
Remediation Apply the upstream kernel fix from the stable tree: commit 375e4e33c18dfa05c5dfd5f3dfffeb29343dd4c7 (https://git.kernel.org/stable/c/375e4e33c18dfa05c5dfd5f3dfffeb29343dd4c7) and commit 16af24fea29c209dea53595c99f6da9398548e1b (https://git.kernel.org/stable/c/16af24fea29c209dea53595c99f6da9398548e1b), which add NULL checks for smap in bpf_sk_storage_clone() and refactor bpf_sk_storage_diag_put_all() to pass a validated smap directly to diag_get(). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2026-52938 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy