Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local only (AV:L); winning the update-vs-softirq race is hard, especially as it bites only weakly-ordered CPUs (AC:H); creating/updating a BPF devmap needs capabilities (PR:L); memory corruption yields high C/I/A.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
The DEVMAP_HASH branch in dev_map_redirect_multi() uses hlist_for_each_entry_safe() to iterate hash buckets, but this function runs under RCU protection (called from xdp_do_generic_redirect_map() in softirq context). Concurrent writers (__dev_map_hash_update_elem, dev_map_hash_delete_elem) modify the list using RCU primitives (hlist_add_head_rcu, hlist_del_rcu).
hlist_for_each_entry_safe() performs plain pointer dereferences without rcu_dereference(), missing the acquire barrier needed to pair with writers' rcu_assign_pointer(). On weakly-ordered architectures (ARM64, POWER), a reader can observe a partially-constructed node. It also defeats CONFIG_PROVE_RCU lockdep validation and KCSAN data-race detection.
Replace with hlist_for_each_entry_rcu() using rcu_read_lock_bh_held() as the lockdep condition, consistent with the rcu_dereference_check() used in the DEVMAP (non-hash) branch of the same functions. Also fix the same incorrect lockdep_is_held(&dtab->index_lock) condition in dev_map_enqueue_multi(), where the lock is not held either.
AnalysisAI
Memory-safety data race in the Linux kernel's BPF DEVMAP_HASH redirect path (dev_map_redirect_multi(), SKB/generic XDP path) lets a concurrent reader in softirq context observe a partially-constructed hash node because hlist_for_each_entry_safe() dereferences list pointers without the rcu_dereference() acquire barrier that pairs with writers' rcu_assign_pointer(). Affecting kernels from 5.14 up to the fixed stable releases, it can lead to memory corruption or information disclosure on weakly-ordered architectures (ARM64, POWER) when BPF devmap-hash redirect is in use. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access plus the ability to create and update a BPF DEVMAP_HASH (BPF_MAP_TYPE_DEVMAP_HASH) map and trigger the generic/SKB XDP multicast redirect path (dev_map_redirect_multi() via xdp_do_generic_redirect_map()) - in practice CAP_BPF/CAP_NET_ADMIN or unprivileged-BPF being enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals point to a genuine but low-urgency, locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user or container workload holding BPF/network capabilities creates a DEVMAP_HASH map, attaches a generic-XDP program that performs multicast/broadcast redirect, and then rapidly adds and deletes map entries while traffic drives dev_map_redirect_multi() in softirq context on an ARM64 or POWER host. By racing the updates against the unsynchronized reader, the attacker forces traversal of a partially-constructed node to corrupt memory or leak kernel data. … |
| Remediation | Vendor-released patch: upgrade to a fixed kernel - 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or mainline 7.1 (pick the fix matching your stable series), available from kernel.org stable trees and via your distribution's kernel update channel; cross-reference https://nvd.nist.gov/vuln/detail/CVE-2026-53096 and the stable commits at https://git.kernel.org/stable/c/4a3d0fe30b907ff324b1b49756f7e713d67f3645. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit inventory for Linux systems running kernel versions 5.14 and later; identify those with BPF devmap-hash redirect enabled on ARM64 or POWER architectures. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38964
GHSA-8qvr-6896-8wfm