Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Race condition requires precise timing between concurrent selem unlink and RCU reader paths, warranting AC:H; local BPF loading capability needed, so AV:L and PR:L; impact is DoS only.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix NULL pointer dereference in bpf_sk_storage_clone and diag paths
bpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist. A concurrent RCU reader in bpf_sk_storage_clone() can observe the selem still on the list with smap already NULL, causing a NULL pointer dereference.
general protection fault, probably for non-canonical address 0xdffffc000000000a: KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057] RIP: 0010:bpf_sk_storage_clone+0x1cd/0xaa0 net/core/bpf_sk_storage.c:174 Call Trace: <IRQ> sk_clone+0xfed/0x1980 net/core/sock.c:2591 inet_csk_clone_lock+0x30/0x760 net/ipv4/inet_connection_sock.c:1222 tcp_create_openreq_child+0x35/0x2680 net/ipv4/tcp_minisocks.c:571 tcp_v4_syn_recv_sock+0x123/0xf90 net/ipv4/tcp_ipv4.c:1729 tcp_check_req+0x8e1/0x2580 include/net/tcp.h:855 tcp_v4_rcv+0x1845/0x3b80 net/ipv4/tcp_ipv4.c:2347
Add a NULL check for smap in bpf_sk_storage_clone().
bpf_sk_storage_diag_put_all() has the same issue. Add a NULL check and pass the validated smap directly to diag_get(), which is refactored to take smap as a parameter instead of reading it internally.
bpf_sk_storage_diag_put() uses diag->maps[i] which is always valid under its refcount, so diag->maps[i] is passed directly to diag_get().
AnalysisAI
NULL pointer dereference in the Linux kernel's BPF socket storage subsystem (net/core/bpf_sk_storage.c) allows a local low-privileged user to crash the kernel. The race condition between bpf_selem_unlink_nofail() - which nulls smap before removing the element from the hlist - and concurrent RCU readers in bpf_sk_storage_clone() and bpf_sk_storage_diag_put_all() can be triggered during TCP SYN handling (socket cloning path), producing a kernel panic. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the following specific conditions: (1) the target system must have BPF socket storage in use - a BPF program must have previously called bpf_sk_storage_get() to attach a storage element to a socket; (2) the attacker must have the ability to load BPF programs, which on default Linux configurations requires either root/CAP_BPF or kernel.unprivileged_bpf_disabled=0 (the permissive default on many distributions); (3) the race window requires concurrent execution of bpf_selem_unlink_nofail() and bpf_sk_storage_clone() or bpf_sk_storage_diag_put_all() - the latter is reachable via TCP SYN handling during socket cloning. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is low-to-moderate for the vast majority of deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with low privileges (or CAP_BPF) on a system with unprivileged BPF enabled creates a BPF socket storage map and attaches a storage element to an active TCP socket. A concurrent thread or network event triggers socket cloning via an inbound TCP SYN (exercising tcp_v4_syn_recv_sock → bpf_sk_storage_clone), racing with the selem unlink that has already nulled smap but not yet removed the element from the hlist. … |
| Remediation | Apply the upstream kernel fix from the stable tree: commit 375e4e33c18dfa05c5dfd5f3dfffeb29343dd4c7 (https://git.kernel.org/stable/c/375e4e33c18dfa05c5dfd5f3dfffeb29343dd4c7) and commit 16af24fea29c209dea53595c99f6da9398548e1b (https://git.kernel.org/stable/c/16af24fea29c209dea53595c99f6da9398548e1b), which add NULL checks for smap in bpf_sk_storage_clone() and refactor bpf_sk_storage_diag_put_all() to pass a validated smap directly to diag_get(). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38708
GHSA-vgrc-x22q-wc53