Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local BPF-capable attacker (AV:L/PR:L); a concurrent task-exit race raises complexity to AC:H; UAF yields high C/I/A within the kernel (S:U).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
bpf: fix mm lifecycle in open-coded task_vma iterator
The open-coded task_vma iterator reads task->mm locklessly and acquires mmap_read_trylock() but never calls mmget(). If the task exits concurrently, the mm_struct can be freed as it is not SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free.
Safely read task->mm with a trylock on alloc_lock and acquire an mm reference. Drop the reference via bpf_iter_mmput_async() in _destroy() and error paths. bpf_iter_mmput_async() is a local wrapper around mmput_async() with a fallback to mmput() on !CONFIG_MMU.
Reject irqs-disabled contexts (including NMI) up front. Operations used by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async) take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from NMI or from a tracepoint that fires with those locks held could deadlock.
A trylock on alloc_lock is used instead of the blocking task_lock() (get_task_mm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc_lock on the same CPU.
AnalysisAI
Local privilege escalation and memory corruption in the Linux kernel BPF subsystem arises from a use-after-free in the open-coded task_vma iterator, which read task->mm locklessly and took mmap_read_trylock() without ever calling mmget(). On kernels where a concurrent task exit frees the mm_struct (not protected by SLAB_TYPESAFE_BY_RCU), a BPF program iterating that task's VMAs can access freed memory, enabling information disclosure or kernel control-flow corruption. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the ability to load and run an eBPF program that uses the open-coded task_vma iterator (bpf_iter_task_vma) - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects a local, low-complexity attack needing low privileges but yielding high confidentiality, integrity, and availability impact - consistent with a kernel UAF. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with the ability to load BPF programs (e.g. a container or service with CAP_BPF) starts a task_vma iterator against a target task and, in a tight loop, races the target's exit so its mm_struct is freed mid-traversal. … |
| Remediation | Vendor-released patch: upgrade to a fixed Linux kernel build - 6.12.91, 6.18.33, 7.0.10, or mainline 7.1 (or your distribution's backport carrying stable commits 239cec25a2, d0862de7c8, 43683bb280, or d8e27d2d22 from https://git.kernel.org/stable/c/239cec25a22662dbd80f57d94b38178c8be95269 and the related stable links). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all Linux systems; consult vendor security advisories for affected kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-825 – Expired Pointer Dereference
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38953
GHSA-44fh-c439-xq8f