CVE-2026-23319

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim<br /> <br /> The root cause of this bug is that when &amp;#39;bpf_link_put&amp;#39; reduces the<br /> refcount of &amp;#39;shim_link-&gt;link.link&amp;#39; to zero, the resource is considered<br /> released but may still be referenced via &amp;#39;tr-&gt;progs_hlist&amp;#39; in<br /> &amp;#39;cgroup_shim_find&amp;#39;. The actual cleanup of &amp;#39;tr-&gt;progs_hlist&amp;#39; in<br /> &amp;#39;bpf_shim_tramp_link_release&amp;#39; is deferred. During this window, another<br /> process can cause a use-after-free via &amp;#39;bpf_trampoline_link_cgroup_shim&amp;#39;.<br /> <br /> Based on Martin KaFai Lau&amp;#39;s suggestions, I have created a simple patch.<br /> <br /> To fix this:<br /> Add an atomic non-zero check in &amp;#39;bpf_trampoline_link_cgroup_shim&amp;#39;.<br /> Only increment the refcount if it is not already zero.<br /> <br /> Testing:<br /> I verified the fix by adding a delay in<br /> &amp;#39;bpf_shim_tramp_link_release&amp;#39; to make the bug easier to trigger:<br /> <br /> static void bpf_shim_tramp_link_release(struct bpf_link *link)<br /> {<br /> /* ... */<br /> if (!shim_link-&gt;trampoline)<br /> return;<br /> <br /> + msleep(100);<br /> WARN_ON_ONCE(bpf_trampoline_unlink_prog(&amp;shim_link-&gt;link,<br /> shim_link-&gt;trampoline, NULL));<br /> bpf_trampoline_put(shim_link-&gt;trampoline);<br /> }<br /> <br /> Before the patch, running a PoC easily reproduced the crash(almost 100%)<br /> with a call trace similar to KaiyanM&amp;#39;s report.<br /> After the patch, the bug no longer occurs even after millions of<br /> iterations.