CVE-2026-23342

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-23342
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix race in cpumap on PREEMPT_RT On PREEMPT_RT kernels, the per-CPU xdp_bulk_queue (bq) can be accessed concurrently by multiple preemptible tasks on the same CPU. The original code assumes bq_enqueue() and __cpu_map_flush() run atomically with respect to each other on the same CPU, relying on local_bh_disable() to prevent preemption. However, on PREEMPT_RT, local_bh_disable() only calls migrate_disable() (when PREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable preemption, which allows CFS scheduling to preempt a task during bq_flush_to_queue(), enabling another task on the same CPU to enter bq_enqueue() and operate on the same per-CPU bq concurrently. This leads to several races: 1. Double __list_del_clearprev(): after bq->count is reset in bq_flush_to_queue(), a preempting task can call bq_enqueue() -> bq_flush_to_queue() on the same bq when bq->count reaches CPU_MAP_BULK_SIZE. Both tasks then call __list_del_clearprev() on the same bq->flush_node, the second call dereferences the prev pointer that was already set to NULL by the first. 2. bq->count and bq->q[] races: concurrent bq_enqueue() can corrupt the packet queue while bq_flush_to_queue() is processing it. The race between task A (__cpu_map_flush -> bq_flush_to_queue) and task B (bq_enqueue -> bq_flush_to_queue) on the same CPU: Task A (xdp_do_flush) Task B (cpu_map_enqueue) ---------------------- ------------------------ bq_flush_to_queue(bq) spin_lock(&q->producer_lock) /* flush bq->q[] to ptr_ring */ bq->count = 0 spin_unlock(&q->producer_lock) bq_enqueue(rcpu, xdpf) <-- CFS preempts Task A --> bq->q[bq->count++] = xdpf /* ... more enqueues until full ... */ bq_flush_to_queue(bq) spin_lock(&q->producer_lock) /* flush to ptr_ring */ spin_unlock(&q->producer_lock) __list_del_clearprev(flush_node) /* sets flush_node.prev = NULL */ <-- Task A resumes --> __list_del_clearprev(flush_node) flush_node.prev->next = ... /* prev is NULL -> kernel oops */ Fix this by adding a local_lock_t to xdp_bulk_queue and acquiring it in bq_enqueue() and __cpu_map_flush(). These paths already run under local_bh_disable(), so use local_lock_nested_bh() which on non-RT is a pure annotation with no overhead, and on PREEMPT_RT provides a per-CPU sleeping lock that serializes access to the bq. To reproduce, insert an mdelay(100) between bq->count = 0 and __list_del_clearprev() in bq_flush_to_queue(), then run reproducer provided by syzkaller.

4.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/7466ae2aeed483de80c5d8dea0913cf74038b652 Patch
https://git.kernel.org/stable/c/869c63d5975d55e97f6b168e885452b3da20ea47 Patch
https://git.kernel.org/stable/c/e67299e1044349ad0088d52c6bc5764cc1816c06 Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
History

23 Apr 2026, 21:16

Type Values Removed Values Added
CWE CWE-362
CPE cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.7
Summary
  • (es) En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: bpf: Corrige condición de carrera en cpumap en PREEMPT_RT En kernels PREEMPT_RT, la xdp_bulk_queue (bq) por CPU puede ser accedida concurrentemente por múltiples tareas preemptibles en la misma CPU. El código original asume que bq_enqueue() y __cpu_map_flush() se ejecutan atómicamente una con respecto a la otra en la misma CPU, confiando en local_bh_disable() para prevenir la preemption. Sin embargo, en PREEMPT_RT, local_bh_disable() solo llama a migrate_disable() (cuando PREEMPT_RT_NEEDS_BH_LOCK no está configurado) y no deshabilita la preemption, lo que permite que la planificación CFS preempte una tarea durante bq_flush_to_queue(), permitiendo que otra tarea en la misma CPU entre en bq_enqueue() y opere en la misma bq por CPU concurrentemente. Esto conduce a varias condiciones de carrera: 1. Doble __list_del_clearprev(): después de que bq-&gt;count se reinicia en bq_flush_to_queue(), una tarea preemptora puede llamar a bq_enqueue() -&gt; bq_flush_to_queue() en la misma bq cuando bq-&gt;count alcanza CPU_MAP_BULK_SIZE. Ambas tareas luego llaman a __list_del_clearprev() en el mismo bq-&gt;flush_node, la segunda llamada desreferencia el puntero prev que ya había sido establecido a NULL por la primera. 2. Condiciones de carrera de bq-&gt;count y bq-&gt;q[]: bq_enqueue() concurrente puede corromper la cola de paquetes mientras bq_flush_to_queue() la está procesando. La condición de carrera entre la tarea A (__cpu_map_flush -&gt; bq_flush_to_queue) y la tarea B (bq_enqueue -&gt; bq_flush_to_queue) en la misma CPU: Tarea A (xdp_do_flush) Tarea B (cpu_map_enqueue) ---------------------- ------------------------ bq_flush_to_queue(bq) spin_lock(&amp;q-&gt;producer_lock) /* vaciar bq-&gt;q[] a ptr_ring */ bq-&gt;count = 0 spin_unlock(&amp;q-&gt;producer_lock) bq_enqueue(rcpu, xdpf) &lt;-- CFS preempte la Tarea A --&gt; bq-&gt;q[bq-&gt;count++] = xdpf /* ... más encolamientos hasta llenarse ... */ bq_flush_to_queue(bq) spin_lock(&amp;q-&gt;producer_lock) /* vaciar a ptr_ring */ spin_unlock(&amp;q-&gt;producer_lock) __list_del_clearprev(flush_node) /* establece flush_node.prev = NULL */ &lt;-- La Tarea A se reanuda --&gt; __list_del_clearprev(flush_node) flush_node.prev-&gt;next = ... /* prev es NULL -&gt; kernel oops */ Solucione esto añadiendo un local_lock_t a xdp_bulk_queue y adquiriéndolo en bq_enqueue() y __cpu_map_flush(). Estas rutas ya se ejecutan bajo local_bh_disable(), por lo que se usa local_lock_nested_bh() que en sistemas no-RT es una anotación pura sin sobrecarga, y en PREEMPT_RT proporciona un bloqueo de suspensión por CPU que serializa el acceso a la bq. Para reproducir, inserte un mdelay(100) entre bq-&gt;count = 0 y __list_del_clearprev() en bq_flush_to_queue(), luego ejecute el reproductor proporcionado por syzkaller.
References () https://git.kernel.org/stable/c/7466ae2aeed483de80c5d8dea0913cf74038b652 - () https://git.kernel.org/stable/c/7466ae2aeed483de80c5d8dea0913cf74038b652 - Patch
References () https://git.kernel.org/stable/c/869c63d5975d55e97f6b168e885452b3da20ea47 - () https://git.kernel.org/stable/c/869c63d5975d55e97f6b168e885452b3da20ea47 - Patch
References () https://git.kernel.org/stable/c/e67299e1044349ad0088d52c6bc5764cc1816c06 - () https://git.kernel.org/stable/c/e67299e1044349ad0088d52c6bc5764cc1816c06 - Patch
First Time Linux
Linux linux Kernel

25 Mar 2026, 11:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-25 11:16

Updated : 2026-04-23 21:16

NVD link : CVE-2026-23342

Mitre link : CVE-2026-23342

CVE.ORG link : CVE-2026-23342

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')