CVE-2026-45837
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-416
Utilización después de liberación
Fecha de publicación:
27/05/2026
Última modificación:
26/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
bpf: Fix use-after-free in arena_vm_close on fork<br />
<br />
arena_vm_open() only bumps vml->mmap_count but never registers the<br />
child VMA in arena->vma_list. The vml->vma always points at the<br />
parent VMA, so after parent munmap the pointer dangles. If the child<br />
then calls bpf_arena_free_pages(), zap_pages() reads the stale<br />
vml->vma triggering use-after-free.<br />
<br />
Fix this by preventing the arena VMA from being inherited across<br />
fork with VM_DONTCOPY, and preventing VMA splits via the may_split<br />
callback.<br />
<br />
Also reject mremap with a .mremap callback returning -EINVAL. A<br />
same-size mremap(MREMAP_FIXED) on the full arena VMA reaches<br />
copy_vma() through the following path:<br />
<br />
check_prep_vma() - returns 0 early: new_len == old_len<br />
skips VM_DONTEXPAND check<br />
prep_move_vma() - vm_start == old_addr and<br />
vm_end == old_addr + old_len<br />
so may_split is never called<br />
move_vma()<br />
copy_vma_and_data()<br />
copy_vma()<br />
vm_area_dup() - copies vm_private_data (vml pointer)<br />
vm_ops->open() - bumps vml->mmap_count<br />
vm_ops->mremap() - returns -EINVAL, rollback unmaps new VMA<br />
<br />
The refcount ensures the rollback&#39;s arena_vm_close does not free<br />
the vml shared with the original VMA.
Impacto
Puntuación base 3.x
7.80
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.9 (incluyendo) | 6.12.88 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.30 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 7.0.7 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



