CVE-2026-23342

Published: Mar 25, 2026 Last Modified: Mar 25, 2026

ExploitDB:

Other exploit source:

Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix race in cpumap on PREEMPT_RT

On PREEMPT_RT kernels, the per-CPU xdp_bulk_queue (bq) can be accessed
concurrently by multiple preemptible tasks on the same CPU.

The original code assumes bq_enqueue() and __cpu_map_flush() run
atomically with respect to each other on the same CPU, relying on
local_bh_disable() to prevent preemption. However, on PREEMPT_RT,
local_bh_disable() only calls migrate_disable() (when
PREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable
preemption, which allows CFS scheduling to preempt a task during
bq_flush_to_queue(), enabling another task on the same CPU to enter
bq_enqueue() and operate on the same per-CPU bq concurrently.

This leads to several races:

1. Double __list_del_clearprev(): after bq->count is reset in
bq_flush_to_queue(), a preempting task can call bq_enqueue() ->
bq_flush_to_queue() on the same bq when bq->count reaches
CPU_MAP_BULK_SIZE. Both tasks then call __list_del_clearprev()
on the same bq->flush_node, the second call dereferences the
prev pointer that was already set to NULL by the first.

2. bq->count and bq->q[] races: concurrent bq_enqueue() can corrupt
the packet queue while bq_flush_to_queue() is processing it.

The race between task A (__cpu_map_flush -> bq_flush_to_queue) and
task B (bq_enqueue -> bq_flush_to_queue) on the same CPU:

Task A (xdp_do_flush) Task B (cpu_map_enqueue)
---------------------- ------------------------
bq_flush_to_queue(bq)
spin_lock(&q->producer_lock)
/* flush bq->q[] to ptr_ring */
bq->count = 0
spin_unlock(&q->producer_lock)
bq_enqueue(rcpu, xdpf)
<-- CFS preempts Task A --> bq->q[bq->count++] = xdpf
/* ... more enqueues until full ... */
bq_flush_to_queue(bq)
spin_lock(&q->producer_lock)
/* flush to ptr_ring */
spin_unlock(&q->producer_lock)
__list_del_clearprev(flush_node)
/* sets flush_node.prev = NULL */
<-- Task A resumes -->
__list_del_clearprev(flush_node)
flush_node.prev->next = ...
/* prev is NULL -> kernel oops */

Fix this by adding a local_lock_t to xdp_bulk_queue and acquiring it
in bq_enqueue() and __cpu_map_flush(). These paths already run under
local_bh_disable(), so use local_lock_nested_bh() which on non-RT is
a pure annotation with no overhead, and on PREEMPT_RT provides a
per-CPU sleeping lock that serializes access to the bq.

To reproduce, insert an mdelay(100) between bq->count = 0 and
__list_del_clearprev() in bq_flush_to_queue(), then run reproducer
provided by syzkaller.

AI Generated Translation

Nel kernel Linux, è stata risolta la seguente vulnerabilità:

bpf: Correzione di race condition in cpumap su PREEMPT_RT

Su kernel PREEMPT_RT, l'xdp_bulk_queue (bq) per-CPU può essere accesso
concorrenzialmente da più task preemptibili sulla stessa CPU.

Il codice originale presuppone che bq_enqueue() e __cpu_map_flush() vengano
eseguiti in modo atomico l’uno rispetto all’altro sulla stessa CPU, facendo
affidamento su local_bh_disable() per prevenire la preemption. Tuttavia, su PREEMPT_RT,
local_bh_disable() chiama solo migrate_disable() (quando PREEMPT_RT_NEEDS_BH_LOCK non è impostato)
e non disabilita la preemption, consentendo così al scheduler CFS di preemptare un task durante
bq_flush_to_queue(), permettendo a un altro task sulla stessa CPU di entrare in
bq_enqueue() e operare sullo stesso per-CPU bq in modo concorrente.

Ciò porta a diverse race condition:

1. Double __list_del_clearprev(): dopo che bq->count viene azzerato in
bq_flush_to_queue(), un task preemptor può chiamare bq_enqueue() ->
bq_flush_to_queue() sullo stesso bq quando bq->count raggiunge
CPU_MAP_BULK_SIZE. Entrambi i task chiamano quindi __list_del_clearprev()
sullo stesso bq->flush_node, e la seconda chiamata dereferenzia il
puntatore prev che era già stato impostato a NULL dalla prima.

2. Race tra bq->count e bq->q[]: un bq_enqueue() concorrente può corrompere
la coda dei pacchetti mentre bq_flush_to_queue() la sta processando.

La race tra task A (__cpu_map_flush -> bq_flush_to_queue) e
task B (bq_enqueue -> bq_flush_to_queue) sulla stessa CPU:

Task A (xdp_do_flush) Task B (cpu_map_enqueue)
---------------------- ------------------------
bq_flush_to_queue(bq)
spin_lock(&q->producer_lock)
/* flush di bq->q[] nel ptr_ring */
bq->count = 0
spin_unlock(&q->producer_lock)
bq_enqueue(rcpu, xdpf)
<-- CFS preempta Task A --> bq->q[bq->count++] = xdpf
/* ... altri enqueue fino a riempimento ... */
bq_flush_to_queue(bq)
spin_lock(&q->producer_lock)
/* flush nel ptr_ring */
spin_unlock(&q->producer_lock)
__list_del_clearprev(flush_node)
/* imposta flush_node.prev = NULL */
<-- Task A riprende -->
__list_del_clearprev(flush_node)
flush_node.prev->next = ...
/* prev è NULL -> kernel oops */

Per risolvere, si aggiunge un lock di tipo local_lock_t alla struttura xdp_bulk_queue e si acquisisce in bq_enqueue() e __cpu_map_flush(). Questi percorsi sono già eseguiti sotto local_bh_disable(), quindi si utilizza local_lock_nested_bh(), che su sistemi non-RT è una semplice annotazione senza overhead, mentre su PREEMPT_RT fornisce un lock per-CPU che serializza l’accesso a bq.

Per riprodurre, inserire un delay di 100ms (mdelay(100)) tra bq->count = 0 e __list_del_clearprev() in bq_flush_to_queue(), quindi eseguire il riproduttore fornito da syzkaller.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0002

Percentile

0,0th

Updated

Single Data Point

Only one EPSS measurement is available for this CVE. Trend analysis requires multiple data points over time.

https://git.kernel.org/stable/c/7466ae2aeed483de80c5d8dea09…

https://git.kernel.org/stable/c/7466ae2aeed483de80c5d8dea0913cf74038b652

https://git.kernel.org/stable/c/869c63d5975d55e97f6b168e885…

https://git.kernel.org/stable/c/869c63d5975d55e97f6b168e885452b3da20ea47

https://git.kernel.org/stable/c/e67299e1044349ad0088d52c6bc…

https://git.kernel.org/stable/c/e67299e1044349ad0088d52c6bc5764cc1816c06

CVE-2026-23342

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

Single Data Point

Iscriviti alla newsletter