Back to overview

CVE-2026-53084

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: return VMA snapshot from task_vma iterator Holding the per-VMA lock across the BPF program body creates a lock ordering problem when helpers acquire locks that depend on mmap_lock: vm_lock -> i_rwsem -> mmap_lock -> vm_lock Snapshot the VMA under the per-VMA lock in _next() via memcpy(), then drop the lock before returning. The BPF program accesses only the snapshot. The verifier only trusts vm_mm and vm_file pointers (see BTF_TYPE_SAFE_TRUSTED_OR_NULL in verifier.c). vm_file is reference- counted with get_file() under the lock and released via fput() on the next iteration or in _destroy(). vm_mm is already correct because lock_vma_under_rcu() verifies vma->vm_mm == mm. All other pointers are left as-is by memcpy() since the verifier treats them as untrusted.

Metadata

CVE ID
CVE-2026-53084
State
PUBLISHED
Assigner
Linux
Reserved
2026-06-09 07:44 UTC
Published
2026-06-24 16:30 UTC
Last updated
2026-06-24 16:30 UTC
Vendor / Product
Linux / Linux
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (2)
VendorProductPlatformVersions
Linux Linux 4ac4546821584736798aaa9e97da9f6eaf689ea3 < 83b8802c034e843b83a3e1ef6f30cdd4e9ec291c, 4ac4546821584736798aaa9e97da9f6eaf689ea3 < 592226d138378601ae28eb890e2bbc23ec3600f7, 4ac4546821584736798aaa9e97da9f6eaf689ea3 < 13860ca37b8df0b856ee1ce3bdbd7c327d5f53e8, 4ac4546821584736798aaa9e97da9f6eaf689ea3 < 4cbee026db54cad39c39db4d356100cb133412b3
Linux Linux 6.7, 0 < 6.7, 6.12.91 ≤ 6.12.*, 6.18.33 ≤ 6.18.* …
References (4)
Back to overview