{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23342","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.999Z","datePublished":"2026-03-25T10:27:30.285Z","dateUpdated":"2026-05-11T22:04:59.186Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:04:59.186Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix race in cpumap on PREEMPT_RT\n\nOn PREEMPT_RT kernels, the per-CPU xdp_bulk_queue (bq) can be accessed\nconcurrently by multiple preemptible tasks on the same CPU.\n\nThe original code assumes bq_enqueue() and __cpu_map_flush() run\natomically with respect to each other on the same CPU, relying on\nlocal_bh_disable() to prevent preemption. However, on PREEMPT_RT,\nlocal_bh_disable() only calls migrate_disable() (when\nPREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable\npreemption, which allows CFS scheduling to preempt a task during\nbq_flush_to_queue(), enabling another task on the same CPU to enter\nbq_enqueue() and operate on the same per-CPU bq concurrently.\n\nThis leads to several races:\n\n1. Double __list_del_clearprev(): after bq->count is reset in\n   bq_flush_to_queue(), a preempting task can call bq_enqueue() ->\n   bq_flush_to_queue() on the same bq when bq->count reaches\n   CPU_MAP_BULK_SIZE. Both tasks then call __list_del_clearprev()\n   on the same bq->flush_node, the second call dereferences the\n   prev pointer that was already set to NULL by the first.\n\n2. bq->count and bq->q[] races: concurrent bq_enqueue() can corrupt\n   the packet queue while bq_flush_to_queue() is processing it.\n\nThe race between task A (__cpu_map_flush -> bq_flush_to_queue) and\ntask B (bq_enqueue -> bq_flush_to_queue) on the same CPU:\n\n  Task A (xdp_do_flush)          Task B (cpu_map_enqueue)\n  ----------------------         ------------------------\n  bq_flush_to_queue(bq)\n    spin_lock(&q->producer_lock)\n    /* flush bq->q[] to ptr_ring */\n    bq->count = 0\n    spin_unlock(&q->producer_lock)\n                                   bq_enqueue(rcpu, xdpf)\n    <-- CFS preempts Task A -->      bq->q[bq->count++] = xdpf\n                                     /* ... more enqueues until full ... */\n                                     bq_flush_to_queue(bq)\n                                       spin_lock(&q->producer_lock)\n                                       /* flush to ptr_ring */\n                                       spin_unlock(&q->producer_lock)\n                                       __list_del_clearprev(flush_node)\n                                         /* sets flush_node.prev = NULL */\n    <-- Task A resumes -->\n    __list_del_clearprev(flush_node)\n      flush_node.prev->next = ...\n      /* prev is NULL -> kernel oops */\n\nFix this by adding a local_lock_t to xdp_bulk_queue and acquiring it\nin bq_enqueue() and __cpu_map_flush(). These paths already run under\nlocal_bh_disable(), so use local_lock_nested_bh() which on non-RT is\na pure annotation with no overhead, and on PREEMPT_RT provides a\nper-CPU sleeping lock that serializes access to the bq.\n\nTo reproduce, insert an mdelay(100) between bq->count = 0 and\n__list_del_clearprev() in bq_flush_to_queue(), then run reproducer\nprovided by syzkaller."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/bpf/cpumap.c"],"versions":[{"version":"3253cb49cbad4772389d6ef55be75db1f97da910","lessThan":"7466ae2aeed483de80c5d8dea0913cf74038b652","status":"affected","versionType":"git"},{"version":"3253cb49cbad4772389d6ef55be75db1f97da910","lessThan":"e67299e1044349ad0088d52c6bc5764cc1816c06","status":"affected","versionType":"git"},{"version":"3253cb49cbad4772389d6ef55be75db1f97da910","lessThan":"869c63d5975d55e97f6b168e885452b3da20ea47","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/bpf/cpumap.c"],"versions":[{"version":"6.18","status":"affected"},{"version":"0","lessThan":"6.18","status":"unaffected","versionType":"semver"},{"version":"6.18.17","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.7","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.18.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.19.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7466ae2aeed483de80c5d8dea0913cf74038b652"},{"url":"https://git.kernel.org/stable/c/e67299e1044349ad0088d52c6bc5764cc1816c06"},{"url":"https://git.kernel.org/stable/c/869c63d5975d55e97f6b168e885452b3da20ea47"}],"title":"bpf: Fix race in cpumap on PREEMPT_RT","x_generator":{"engine":"bippy-1.2.0"}}}}