From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 32644389DE3 for ; Wed, 24 Jun 2026 07:15:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782285353; cv=none; b=DY7o4vVw7h8VTynDVrxmZ8mf0O+sjTRd5zlTjDEQ38D7Ak1/aEEt5Y/8GyXDSh/Lcawe1NyBsfkg5J77cem706OFwIAXvtG2ThNbRBf4dFaBWcns/yKFcIFXEb+QH4aowK7VJpSa2BumKic4liAQ3DpLM8oZ4zMLhTrNwDVR8Kk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782285353; c=relaxed/simple; bh=pX+lBZG0Hb/jhV259dP0f+YUbApoiWmPQV1Q0KXPRDs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=agWBziNn62cxQBmWwIGnUq8rIDESuzQn9V4H1KZP9tizDiLAtyIIIlPlk7HPDP/ghuQxYxXQXLKyCbM3chbnYrKVa1jmEFBjM73VH6wUBaDdUTotouYqzy1szgehZreo+AL0+H7aeyKUNJGwcotQ6RsuNBqEKgSVrEob9QyR0CM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=0KSDnYgd; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="0KSDnYgd" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 71F141F000E9; Wed, 24 Jun 2026 07:15:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1782285352; bh=2wvbeeTxSB3GuzF5CKhRkQBT7iaCEpzqqztBHnEUOL4=; h=From:To:Cc:Subject:Date:Reply-To; b=0KSDnYgdyAB86BJjitq/H8yaZ6FuZgybDJGK2Ov4OZfIpHgHwfefnu7Mrl1Hjohfs eH80IFu8aAv4dSPQVeiJw8bD1afFIO8J0kPT8lUoVJwC3Gs9Vrhe1Y0CcCOtaw4oQe xSFOjx1J57Zz7WBhzHo9d3pD8Bpd2Ufg8Dsd8Mp0= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-52938: bpf: Fix NULL pointer dereference in bpf_sk_storage_clone and diag paths Date: Wed, 24 Jun 2026 09:13:53 +0200 Message-ID: <2026062434-CVE-2026-52938-e793@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2823; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=PUI9N8zCfzVAxHINTYI4zcWjxXVMfd7MKTlXhXOiALQ=; b=owGbwMvMwCRo6H6F97bub03G02pJDFnWzfOsjGZeODAzafd52R+7kpL2iYhqrY6xZdx5nO1N4 reG9m/RHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjAR9QiG+ZmdXZmdi7MiF18+ /H7Runyx/E9m6xgWTE+6Z/BV+bXVVyX9Qg5l2QhzlopTAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL pointer dereference in bpf_sk_storage_clone and diag paths bpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist. A concurrent RCU reader in bpf_sk_storage_clone() can observe the selem still on the list with smap already NULL, causing a NULL pointer dereference. general protection fault, probably for non-canonical address 0xdffffc000000000a: KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057] RIP: 0010:bpf_sk_storage_clone+0x1cd/0xaa0 net/core/bpf_sk_storage.c:174 Call Trace: sk_clone+0xfed/0x1980 net/core/sock.c:2591 inet_csk_clone_lock+0x30/0x760 net/ipv4/inet_connection_sock.c:1222 tcp_create_openreq_child+0x35/0x2680 net/ipv4/tcp_minisocks.c:571 tcp_v4_syn_recv_sock+0x123/0xf90 net/ipv4/tcp_ipv4.c:1729 tcp_check_req+0x8e1/0x2580 include/net/tcp.h:855 tcp_v4_rcv+0x1845/0x3b80 net/ipv4/tcp_ipv4.c:2347 Add a NULL check for smap in bpf_sk_storage_clone(). bpf_sk_storage_diag_put_all() has the same issue. Add a NULL check and pass the validated smap directly to diag_get(), which is refactored to take smap as a parameter instead of reading it internally. bpf_sk_storage_diag_put() uses diag->maps[i] which is always valid under its refcount, so diag->maps[i] is passed directly to diag_get(). The Linux kernel CVE team has assigned CVE-2026-52938 to this issue. Affected and fixed versions =========================== Issue introduced in 7.0 with commit 5d800f87d0a5ea1b156c47a4b9fd128479335153 and fixed in 7.1 with commit 375e4e33c18dfa05c5dfd5f3dfffeb29343dd4c7 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-52938 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/core/bpf_sk_storage.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/375e4e33c18dfa05c5dfd5f3dfffeb29343dd4c7