CVE-2026-53084

Summary

In the Linux kernel, the following vulnerability has been resolved:

bpf: return VMA snapshot from task_vma iterator

Holding the per-VMA lock across the BPF program body creates a lock ordering problem when helpers acquire locks that depend on mmap_lock:

vm_lock -> i_rwsem -> mmap_lock -> vm_lock

Snapshot the VMA under the per-VMA lock in _next() via memcpy(), then drop the lock before returning. The BPF program accesses only the snapshot.

The verifier only trusts vm_mm and vm_file pointers (see BTF_TYPE_SAFE_TRUSTED_OR_NULL in verifier.c). vm_file is reference- counted with get_file() under the lock and released via fput() on the next iteration or in _destroy(). vm_mm is already correct because lock_vma_under_rcu() verifies vma->vm_mm == mm. All other pointers are left as-is by memcpy() since the verifier treats them as untrusted.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux4ac4546821584736798aaa9e97da9f6eaf689ea3 < 83b8802c034e843b83a3e1ef6f30cdd4e9ec291caffected
LinuxLinux4ac4546821584736798aaa9e97da9f6eaf689ea3 < 592226d138378601ae28eb890e2bbc23ec3600f7affected
LinuxLinux4ac4546821584736798aaa9e97da9f6eaf689ea3 < 13860ca37b8df0b856ee1ce3bdbd7c327d5f53e8affected
LinuxLinux4ac4546821584736798aaa9e97da9f6eaf689ea3 < 4cbee026db54cad39c39db4d356100cb133412b3affected
LinuxLinux6.7affected
LinuxLinux0 < 6.7unaffected
LinuxLinux6.12.91 <= 6.12.*unaffected
LinuxLinux6.18.33 <= 6.18.*unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References