bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path_CVE-2026-53096

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path

The DEVMAP_HASH branch in dev_map_redirect_multi() uses
hlist_for_each_entry_safe() to iterate hash buckets, but this function
runs under RCU protection (called from xdp_do_generic_redirect_map()
in softirq context). Concurrent writers (__dev_map_hash_update_elem,
dev_map_hash_delete_elem) modify the list using RCU primitives
(hlist_add_head_rcu, hlist_del_rcu).

hlist_for_each_entry_safe() performs plain pointer dereferences without
rcu_dereference(), missing the acquire barrier needed to pair with
writers' rcu_assign_pointer(). On weakly-ordered architectures (ARM64,
POWER), a reader can observe a partially-constructed node. It also
defeats CONFIG_PROVE_RCU lockdep validation and KCSAN data-race
detection.

Replace with hlist_for_each_entry_rcu() using rcu_read_lock_bh_held()
as the lockdep condition, consistent with the rcu_dereference_check()
used in the DEVMAP (non-hash) branch of the same functions. Also fix
the same incorrect lockdep_is_held(&dtab->index_lock) condition in
dev_map_enqueue_multi(), where the lock is not held either.

Basic Information

ID CVE-2026-53096

Source Linux

Published Jun 24, 2026 at 16:30

Modified Jun 28, 2026 at 06:39

Affected Product

Vendor Linux

Product Linux

Version e624d4ed4aa8cc3c69d1359b0aaea539203ed266

Affected Versions Linux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266
Linux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266
Linux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266
Linux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266
Linux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266
Linux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266
Linux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266
Linux Linux 5.14

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path\n\nThe DEVMAP_HASH branch in dev_map_redirect_multi() uses\nhlist_for_each_entry_safe() to iterate hash buckets, but this function\nruns under RCU protection (called from xdp_do_generic_redirect_map()\nin softirq context). Concurrent writers (__dev_map_hash_update_elem,\ndev_map_hash_delete_elem) modify the list using RCU primitives\n(hlist_add_head_rcu, hlist_del_rcu).\n\nhlist_for_each_entry_safe() performs plain pointer dereferences without\nrcu_dereference(), missing the acquire barrier needed to pair with\nwriters' rcu_assign_pointer(). On weakly-ordered architectures (ARM64,\nPOWER), a reader can observe a partially-constructed node. It also\ndefeats CONFIG_PROVE_RCU lockdep validation and KCSAN data-race\ndetection.\n\nReplace with hlist_for_each_entry_rcu() using rcu_read_lock_bh_held()\nas the lockdep condition, consistent with the rcu_dereference_check()\nused in the DEVMAP (non-hash) branch of the same functions. Also fix\nthe same incorrect lockdep_is_held(&dtab->index_lock) condition in\ndev_map_enqueue_multi(), where the lock is not held either.",
    "published": "2026-06-24T16:30:34.477Z",
    "modified": "2026-06-28T06:39:18.779Z",
    "type": "cve",
    "title": "bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/4a3d0fe30b907ff324b1b49756f7e713d67f3645\nhttps://git.kernel.org/stable/c/b089aa6e94d7a08e74d076a0fe274842dc9feccc\nhttps://git.kernel.org/stable/c/571a05ea1baaccc0dc1e0d227b2cbc978b96d392\nhttps://git.kernel.org/stable/c/cb2c1f3cf65b855548e1b8d55a08bfbaa5a0901a\nhttps://git.kernel.org/stable/c/d4c4bd231ebad70e6f30db429e9640bf378b2f52\nhttps://git.kernel.org/stable/c/7027e705062482a8cea43a1c13ede3c35653966f\nhttps://git.kernel.org/stable/c/8ed82f807bb09d2c8455aaa665f2c6cb17bc6a19",
    "id": "CVE-2026-53096",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266\nLinux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266\nLinux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266\nLinux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266\nLinux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266\nLinux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266\nLinux Linux e624d4ed4aa8cc3c69d1359b0aaea539203ed266\nLinux Linux 5.14",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "e624d4ed4aa8cc3c69d1359b0aaea539203ed266",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply