Skip to main content

Linux Kernel CVE-2026-53096

| EUVDEUVD-2026-38964 HIGH
2026-06-24 Linux GHSA-8qvr-6896-8wfm
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local only (AV:L); winning the update-vs-softirq race is hard, especially as it bites only weakly-ordered CPUs (AC:H); creating/updating a BPF devmap needs capabilities (PR:L); memory corruption yields high C/I/A.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:11 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path

The DEVMAP_HASH branch in dev_map_redirect_multi() uses hlist_for_each_entry_safe() to iterate hash buckets, but this function runs under RCU protection (called from xdp_do_generic_redirect_map() in softirq context). Concurrent writers (__dev_map_hash_update_elem, dev_map_hash_delete_elem) modify the list using RCU primitives (hlist_add_head_rcu, hlist_del_rcu).

hlist_for_each_entry_safe() performs plain pointer dereferences without rcu_dereference(), missing the acquire barrier needed to pair with writers' rcu_assign_pointer(). On weakly-ordered architectures (ARM64, POWER), a reader can observe a partially-constructed node. It also defeats CONFIG_PROVE_RCU lockdep validation and KCSAN data-race detection.

Replace with hlist_for_each_entry_rcu() using rcu_read_lock_bh_held() as the lockdep condition, consistent with the rcu_dereference_check() used in the DEVMAP (non-hash) branch of the same functions. Also fix the same incorrect lockdep_is_held(&dtab->index_lock) condition in dev_map_enqueue_multi(), where the lock is not held either.

AnalysisAI

Memory-safety data race in the Linux kernel's BPF DEVMAP_HASH redirect path (dev_map_redirect_multi(), SKB/generic XDP path) lets a concurrent reader in softirq context observe a partially-constructed hash node because hlist_for_each_entry_safe() dereferences list pointers without the rcu_dereference() acquire barrier that pairs with writers' rcu_assign_pointer(). Affecting kernels from 5.14 up to the fixed stable releases, it can lead to memory corruption or information disclosure on weakly-ordered architectures (ARM64, POWER) when BPF devmap-hash redirect is in use. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local BPF/network capability
Delivery
Create DEVMAP_HASH redirect map
Exploit
Drive multicast XDP redirect traffic
Execution
Race concurrent map add/delete updates
Persist
Reader dereferences partial node
Impact
Corrupt or leak kernel memory

Vulnerability AssessmentAI

Exploitation Requires local access plus the ability to create and update a BPF DEVMAP_HASH (BPF_MAP_TYPE_DEVMAP_HASH) map and trigger the generic/SKB XDP multicast redirect path (dev_map_redirect_multi() via xdp_do_generic_redirect_map()) - in practice CAP_BPF/CAP_NET_ADMIN or unprivileged-BPF being enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals point to a genuine but low-urgency, locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user or container workload holding BPF/network capabilities creates a DEVMAP_HASH map, attaches a generic-XDP program that performs multicast/broadcast redirect, and then rapidly adds and deletes map entries while traffic drives dev_map_redirect_multi() in softirq context on an ARM64 or POWER host. By racing the updates against the unsynchronized reader, the attacker forces traversal of a partially-constructed node to corrupt memory or leak kernel data. …
Remediation Vendor-released patch: upgrade to a fixed kernel - 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or mainline 7.1 (pick the fix matching your stable series), available from kernel.org stable trees and via your distribution's kernel update channel; cross-reference https://nvd.nist.gov/vuln/detail/CVE-2026-53096 and the stable commits at https://git.kernel.org/stable/c/4a3d0fe30b907ff324b1b49756f7e713d67f3645. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit inventory for Linux systems running kernel versions 5.14 and later; identify those with BPF devmap-hash redirect enabled on ARM64 or POWER architectures. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy