CVE-2026-45838 PUBLISHED

bpf: fix end-of-list detection in cgroup_storage_get_next_key()

Assigner: Linux
Reserved: 13.05.2026 Published: 27.05.2026 Updated: 27.05.2026

In the Linux kernel, the following vulnerability has been resolved:

bpf: fix end-of-list detection in cgroup_storage_get_next_key()

list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.

Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from de9cbbaadba5adf88a19e46df61f7054000838f6 to b4b5a20bed82130da2f2818f04d52378952fbd0b (excl.)
  • affected from de9cbbaadba5adf88a19e46df61f7054000838f6 to 85a2f30e40f7468db732f55659bc6318874f49af (excl.)
  • affected from de9cbbaadba5adf88a19e46df61f7054000838f6 to 32ce55d424395904986f5066f8755f6cb9993377 (excl.)
  • affected from de9cbbaadba5adf88a19e46df61f7054000838f6 to fc39753b7f92e09177777e9c648afe5aa3abb81f (excl.)
  • affected from de9cbbaadba5adf88a19e46df61f7054000838f6 to 5828b9e5b272ecff7cf5d345128d3de7324117f7 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 4.19 is affected
  • unaffected from 0 to 4.19 (excl.)
  • unaffected from 6.6.141 to 6.6.* (incl.)
  • unaffected from 6.12.91 to 6.12.* (incl.)
  • unaffected from 6.18.33 to 6.18.* (incl.)
  • unaffected from 7.0.10 to 7.0.* (incl.)
  • unaffected from 7.1-rc1 to * (incl.)

References