VDB

CVE-2026-53085

CVE-2026-53085 PUBLISHED CVSS 7.8 HIGH

Reported by Linux · Published June 24, 2026

In the Linux kernel, the following vulnerability has been resolved: bpf: fix mm lifecycle in open-coded task_vma iterator The open-coded task_vma iterator reads task->mm locklessly and acquires mmap_read_trylock() but never calls mmget(). If the task exits concurrently, the mm_struct can be freed as it is not SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free. Safely read task->mm with a trylock on alloc_lock and acquire an mm reference. Drop the reference via bpf_iter_mmput_async() in _destroy() and error paths. bpf_iter_mmput_async() is a local wrapper around mmput_async() with a fallback to mmput() on !CONFIG_MMU. Reject irqs-disabled contexts (including NMI) up front. Operations used by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async) take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from NMI or from a tracepoint that fires with those locks held could deadlock. A trylock on alloc_lock is used instead of the blocking task_lock() (get_task_mm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc_lock on the same CPU.

Risk Scores

CVSS 3.1
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
LinuxLinux4ac4546821584736798aaa9e97da9f6eaf689ea3, 4ac4546821584736798aaa9e97da9f6eaf689ea3, 4ac4546821584736798aaa9e97da9f6eaf689ea3
LinuxLinux6.7, 0, 6.12.91
Red HatRed Hat Enterprise Linux 9
Red HatRed Hat Enterprise Linux 6
Red HatRed Hat Enterprise Linux 10
Red HatRed Hat Enterprise Linux 8
Red HatRed Hat Enterprise Linux 7
LinuxLinux7.1, 7.1, 4ac4546821584736798aaa9e97da9f6eaf689ea3
linuxlinux_kernel6.7, 6.7, 6.7

Timeline

  • Jun 24, 2026 CVE Published
  • Jun 25, 2026 EPSS Score
  • Jun 25, 2026 Coalition ESS Score
  • Jul 7, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›