Skip to main content

Linux Kernel EUVDEUVD-2026-38962

| CVE-2026-53094 HIGH
2026-06-24 Linux GHSA-c5q6-h25m-p95j
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.8 MEDIUM

Local low-priv BPF loading (PR:L); non-default bpf_jit_harden=2 precondition raises AC:H; demonstrated impact is a kernel crash (A:H) with only speculative info/integrity loss (C:L/I:L).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:10 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix stale offload->prog pointer after constant blinding

When a dev-bound-only BPF program (BPF_F_XDP_DEV_BOUND_ONLY) undergoes JIT compilation with constant blinding enabled (bpf_jit_harden >= 2), bpf_jit_blind_constants() clones the program. The original prog is then freed in bpf_jit_prog_release_other(), which updates aux->prog to point to the surviving clone, but fails to update offload->prog.

This leaves offload->prog pointing to the freed original program. When the network namespace is subsequently destroyed, cleanup_net() triggers bpf_dev_bound_netdev_unregister(), which iterates ondev->progs and calls __bpf_prog_offload_destroy(offload->prog). Accessing the freed prog causes a page fault:

BUG: unable to handle page fault for address: ffffc900085f1038 Workqueue: netns cleanup_net RIP: 0010:__bpf_prog_offload_destroy+0xc/0x80 Call Trace: __bpf_offload_dev_netdev_unregister+0x257/0x350 bpf_dev_bound_netdev_unregister+0x4a/0x90 unregister_netdevice_many_notify+0x2a2/0x660 ... cleanup_net+0x21a/0x320

The test sequence that triggers this reliably is:

  1. Set net.core.bpf_jit_harden=2 (echo 2 > /proc/sys/net/core/bpf_jit_harden)
  2. Run xdp_metadata selftest, which creates a dev-bound-only XDP

program on a veth inside a netns (./test_progs -t xdp_metadata)

  1. cleanup_net -> page fault in __bpf_prog_offload_destroy

Dev-bound-only programs are unique in that they have an offload structure but go through the normal JIT path instead of bpf_prog_offload_compile(). This means they are subject to constant blinding's prog clone-and-replace, while also having offload->prog that must stay in sync.

Fix this by updating offload->prog in bpf_jit_prog_release_other(), alongside the existing aux->prog update. Both are back-pointers to the prog that must be kept in sync when the prog is replaced.

AnalysisAI

Local privilege/denial-of-service exposure in the Linux kernel BPF subsystem allows a low-privileged user who can load a device-bound XDP program to trigger a use-after-free during network namespace teardown. When constant blinding is enabled (bpf_jit_harden=2), JIT compilation of a BPF_F_XDP_DEV_BOUND_ONLY program clones the program and frees the original, but offload->prog is left pointing at the freed buffer; later netns cleanup dereferences it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local BPF/XDP load privileges
Delivery
Create network namespace with veth
Exploit
Load dev-bound-only XDP prog (jit_harden=2 blinds constants, frees original)
Execution
offload->prog left dangling
Persist
Destroy netns triggering cleanup_net
Impact
Kernel use-after-free / page fault

Vulnerability AssessmentAI

Exploitation Requires all of: (1) net.core.bpf_jit_harden set to 2 (constant blinding enabled) - a NON-default setting that gates the whole bug; (2) the ability to load a device-bound-only XDP program using the BPF_F_XDP_DEV_BOUND_ONLY flag, i.e., local access with BPF/XDP loading privileges (CVSS PR:L); (3) attachment to a netdev (e.g., veth) inside a network namespace; and (4) subsequent destruction of that namespace to trigger cleanup_net and the stale-pointer dereference. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a real-but-narrow risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a host with net.core.bpf_jit_harden=2, a local user (e.g., inside a container with BPF/XDP privileges) creates a network namespace, loads a device-bound-only XDP program on a veth so it is JIT-compiled with constant blinding, then deletes the namespace. The cleanup_net workqueue dereferences the freed offload->prog, reliably crashing the kernel; this matches the documented test_progs -t xdp_metadata reproduction and could potentially be developed further given a use-after-free primitive.
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or your distribution's backport carrying commits a713b72ff88c / 25484c39d1ec / 059525cf18e6 / c79f8503d83d / a1aa9ef47c29 from git.kernel.org/stable). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems and determine whether BPF JIT hardening (bpf_jit_harden=2) is enabled; correlate with kernel versions containing CVE-2026-53094. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38962 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy