Skip to main content

Linux EUVDEUVD-2026-15269

| CVE-2026-23319 HIGH
Use After Free (CWE-416)
2026-03-25 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 23, 2026 - 21:11 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 21:11 NVD
7.8 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15269
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim

The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progs_hlist' in 'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in 'bpf_shim_tramp_link_release' is deferred. During this window, another process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'.

Based on Martin KaFai Lau's suggestions, I have created a simple patch.

To fix this: Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'. Only increment the refcount if it is not already zero.

Testing: I verified the fix by adding a delay in 'bpf_shim_tramp_link_release' to make the bug easier to trigger:

static void bpf_shim_tramp_link_release(struct bpf_link *link) { /* ... */ if (!shim_link->trampoline) return;

+ msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link, shim_link->trampoline, NULL)); bpf_trampoline_put(shim_link->trampoline); }

Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations.

AnalysisAI

A use-after-free (UAF) vulnerability exists in the Linux kernel's BPF subsystem within the bpf_trampoline_link_cgroup_shim function, where a race condition allows a process to reference memory after it has been freed. An attacker with CAP_BPF or CAP_PERFMON capabilities can trigger this vulnerability to cause a kernel crash (denial of service). A proof-of-concept has been demonstrated by the reporter, showing the bug can be reliably reproduced; the vulnerability is not listed on the CISA KEV catalog but affects all Linux kernel versions until patched.

Technical ContextAI

The vulnerability resides in the Linux kernel's eBPF (extended Berkeley Packet Filter) infrastructure, specifically in cgroup link handling via trampoline mechanisms (CPE: cpe:2.3:a:linux:linux). The root cause is a race condition in reference counting between bpf_link_put (which decrements refcount to zero and marks resources released) and bpf_shim_tramp_link_release (which defers cleanup of tr->progs_hlist). This is classified as a use-after-free (CWE-416 equivalent, though not explicitly stated), where the cgroup_shim_find function can access a link structure through tr->progs_hlist after its refcount has reached zero but before actual cleanup occurs. The fix implements an atomic non-zero check in bpf_trampoline_link_cgroup_shim to prevent refcount increment on already-released objects, preventing the dangling reference.

RemediationAI

Immediately apply kernel patches from the stable Linux repository containing commits 529e685e522b9d7fb379dbe6929dcdf520e34c8c through 56145d237385ca0e7ca9ff7b226aaf2eb8ef368b (available at https://git.kernel.org/stable/). Most distributions will backport these fixes into their respective stable kernel branches; check your distribution's security advisory for specific kernel version numbers (e.g., Linux 6.1.x, 6.6.x, 6.9.x or later depending on your branch). For systems unable to patch immediately, restrict the use of eBPF programs and cgroup link operations to trusted users by denying CAP_BPF and CAP_PERFMON capabilities to untrusted processes or containers via AppArmor, SELinux, or seccomp policies. Monitor kernel logs for UAF-related oops messages and consider scheduling urgent maintenance windows to apply patches.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15269 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy