In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix use-after-free in arena_vm_close on fork
arena_vm_open() only bumps vml->mmap_count but never registers the
child VMA in arena->vma_list. The vml->vma always points at the
parent VMA, so after parent munmap the pointer dangles. If the child
then calls bpf_arena_free_pages(), zap_pages() reads the stale
vml->vma triggering use-after-free.
Fix this by preventing the arena VMA from being inherited across
fork with VM_DONTCOPY, and preventing VMA splits via the may_split
callback.
Also reject mremap with a .mremap callback returning -EINVAL. A
same-size mremap(MREMAP_FIXED) on the full arena VMA reaches
copy_vma() through the following path:
check_prep_vma() - returns 0 early: new_len == old_len
skips VM_DONTEXPAND check
prep_move_vma() - vm_start == old_addr and
vm_end == old_addr + old_len
so may_split is never called
move_vma()
copy_vma_and_data()
copy_vma()
vm_area_dup() - copies vm_private_data (vml pointer)
vm_ops->open() - bumps vml->mmap_count
vm_ops->mremap() - returns -EINVAL, rollback unmaps new VMA
The refcount ensures the rollback's arena_vm_close does not free
the vml shared with the original VMA.
References
Configurations
Configuration 1 (hide)
|
History
26 Jun 2026, 19:09
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-416 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
| First Time |
Linux linux Kernel
Linux |
|
| CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
| References | () https://git.kernel.org/stable/c/201128fcc7b213d27ab77bc4e89488b41796480f - Patch | |
| References | () https://git.kernel.org/stable/c/4fddde2a732de60bb97e3307d4eb69ac5f1d2b74 - Patch | |
| References | () https://git.kernel.org/stable/c/723b9fa930cc277c15ce6b9ec9feec828cfac9d7 - Patch | |
| References | () https://git.kernel.org/stable/c/d18099f19e53250f8ad2801498b88cec29d9107a - Patch |
27 May 2026, 11:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-27 11:16
Updated : 2026-06-26 19:09
NVD link : CVE-2026-45837
Mitre link : CVE-2026-45837
CVE.ORG link : CVE-2026-45837
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-416
Use After Free
