{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-52938","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.370Z","datePublished":"2026-06-24T07:14:27.952Z","dateUpdated":"2026-06-27T10:25:25.035Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-27T10:25:25.035Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix NULL pointer dereference in bpf_sk_storage_clone and diag paths\n\nbpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before\nremoving the selem from the storage hlist. A concurrent RCU reader in\nbpf_sk_storage_clone() can observe the selem still on the list with\nsmap already NULL, causing a NULL pointer dereference.\n\n general protection fault, probably for non-canonical address 0xdffffc000000000a:\n KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057]\n RIP: 0010:bpf_sk_storage_clone+0x1cd/0xaa0 net/core/bpf_sk_storage.c:174\n Call Trace:\n  <IRQ>\n  sk_clone+0xfed/0x1980 net/core/sock.c:2591\n  inet_csk_clone_lock+0x30/0x760 net/ipv4/inet_connection_sock.c:1222\n  tcp_create_openreq_child+0x35/0x2680 net/ipv4/tcp_minisocks.c:571\n  tcp_v4_syn_recv_sock+0x123/0xf90 net/ipv4/tcp_ipv4.c:1729\n  tcp_check_req+0x8e1/0x2580 include/net/tcp.h:855\n  tcp_v4_rcv+0x1845/0x3b80 net/ipv4/tcp_ipv4.c:2347\n\nAdd a NULL check for smap in bpf_sk_storage_clone().\n\nbpf_sk_storage_diag_put_all() has the same issue. Add a NULL check\nand pass the validated smap directly to diag_get(), which is refactored\nto take smap as a parameter instead of reading it internally.\n\nbpf_sk_storage_diag_put() uses diag->maps[i] which is always valid\nunder its refcount, so diag->maps[i] is passed directly to diag_get()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/bpf_sk_storage.c"],"versions":[{"version":"5d800f87d0a5ea1b156c47a4b9fd128479335153","lessThan":"16af24fea29c209dea53595c99f6da9398548e1b","status":"affected","versionType":"git"},{"version":"5d800f87d0a5ea1b156c47a4b9fd128479335153","lessThan":"375e4e33c18dfa05c5dfd5f3dfffeb29343dd4c7","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/bpf_sk_storage.c"],"versions":[{"version":"7.0","status":"affected"},{"version":"0","lessThan":"7.0","status":"unaffected","versionType":"semver"},{"version":"7.0.14","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/16af24fea29c209dea53595c99f6da9398548e1b"},{"url":"https://git.kernel.org/stable/c/375e4e33c18dfa05c5dfd5f3dfffeb29343dd4c7"}],"title":"bpf: Fix NULL pointer dereference in bpf_sk_storage_clone and diag paths","x_generator":{"engine":"bippy-1.2.0"}}}}