In the Linux kernel, the following vulnerability has been resolved:

bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path

The DEVMAP_HASH branch in dev_map_redirect_multi() uses
hlist_for_each_entry_safe() to iterate hash buckets, but this function
runs under RCU protection (called from xdp_do_generic_redirect_map()
in softirq context). Concurrent writers (__dev_map_hash_update_elem,
dev_map_hash_delete_elem) modify the list using RCU primitives
(hlist_add_head_rcu, hlist_del_rcu).

hlist_for_each_entry_safe() performs plain pointer dereferences without
rcu_dereference(), missing the acquire barrier needed to pair with
writers' rcu_assign_pointer(). On weakly-ordered architectures (ARM64,
POWER), a reader can observe a partially-constructed node. It also
defeats CONFIG_PROVE_RCU lockdep validation and KCSAN data-race
detection.

Replace with hlist_for_each_entry_rcu() using rcu_read_lock_bh_held()
as the lockdep condition, consistent with the rcu_dereference_check()
used in the DEVMAP (non-hash) branch of the same functions. Also fix
the same incorrect lockdep_is_held(&dtab->index_lock) condition in
dev_map_enqueue_multi(), where the lock is not held either.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Linux Linux unaffected
Version Status Constraints
e624d4ed4aa8cc3c69d1359b0aaea539203ed266 affected < 4a3d0fe30b907ff324b1b49756f7e713d67f3645
e624d4ed4aa8cc3c69d1359b0aaea539203ed266 affected < b089aa6e94d7a08e74d076a0fe274842dc9feccc
e624d4ed4aa8cc3c69d1359b0aaea539203ed266 affected < 571a05ea1baaccc0dc1e0d227b2cbc978b96d392
e624d4ed4aa8cc3c69d1359b0aaea539203ed266 affected < cb2c1f3cf65b855548e1b8d55a08bfbaa5a0901a
e624d4ed4aa8cc3c69d1359b0aaea539203ed266 affected < d4c4bd231ebad70e6f30db429e9640bf378b2f52
e624d4ed4aa8cc3c69d1359b0aaea539203ed266 affected < 7027e705062482a8cea43a1c13ede3c35653966f
e624d4ed4aa8cc3c69d1359b0aaea539203ed266 affected < 8ed82f807bb09d2c8455aaa665f2c6cb17bc6a19
Linux Linux affected
Version Status Constraints
5.14 affected
0 unaffected < 5.14
5.15.209 unaffected ≤ 5.15.*
6.1.175 unaffected ≤ 6.1.*
6.6.141 unaffected ≤ 6.6.*
6.12.91 unaffected ≤ 6.12.*
6.18.33 unaffected ≤ 6.18.*
7.0.10 unaffected ≤ 7.0.*
7.1 unaffected ≤ *

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

No data.

Project Subscriptions

Vendors Products
Linux Subscribe
Linux Kernel Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/4a3d0fe30b907ff324b1b49756f7e713d67f3645 cve-icon
https://git.kernel.org/stable/c/571a05ea1baaccc0dc1e0d227b2cbc978b96d392 cve-icon
https://git.kernel.org/stable/c/7027e705062482a8cea43a1c13ede3c35653966f cve-icon
https://git.kernel.org/stable/c/8ed82f807bb09d2c8455aaa665f2c6cb17bc6a19 cve-icon
https://git.kernel.org/stable/c/b089aa6e94d7a08e74d076a0fe274842dc9feccc cve-icon
https://git.kernel.org/stable/c/cb2c1f3cf65b855548e1b8d55a08bfbaa5a0901a cve-icon
https://git.kernel.org/stable/c/d4c4bd231ebad70e6f30db429e9640bf378b2f52 cve-icon
History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-603
CWE-815

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path The DEVMAP_HASH branch in dev_map_redirect_multi() uses hlist_for_each_entry_safe() to iterate hash buckets, but this function runs under RCU protection (called from xdp_do_generic_redirect_map() in softirq context). Concurrent writers (__dev_map_hash_update_elem, dev_map_hash_delete_elem) modify the list using RCU primitives (hlist_add_head_rcu, hlist_del_rcu). hlist_for_each_entry_safe() performs plain pointer dereferences without rcu_dereference(), missing the acquire barrier needed to pair with writers' rcu_assign_pointer(). On weakly-ordered architectures (ARM64, POWER), a reader can observe a partially-constructed node. It also defeats CONFIG_PROVE_RCU lockdep validation and KCSAN data-race detection. Replace with hlist_for_each_entry_rcu() using rcu_read_lock_bh_held() as the lockdep condition, consistent with the rcu_dereference_check() used in the DEVMAP (non-hash) branch of the same functions. Also fix the same incorrect lockdep_is_held(&dtab->index_lock) condition in dev_map_enqueue_multi(), where the lock is not held either.
Title bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:34.477Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53096

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:00:11Z

Weaknesses