SB20260325103 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in Linux kernel bpf
Published: March 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CVE-ID: CVE-2026-23342)
The vulnerability allows a local user to cause a denial of service, disclose sensitive information, and potentially execute arbitrary code.
The vulnerability exists due to improper synchronization in the BPF cpumap component when handling XDP packet enqueue and flush operations on PREEMPT_RT kernels. A local user can trigger concurrent access to the per-CPU xdp_bulk_queue by exploiting preemption during critical sections, leading to race conditions that corrupt internal state and cause memory corruption.
The issue arises specifically on PREEMPT_RT kernels where local_bh_disable() does not prevent preemption, allowing multiple tasks on the same CPU to concurrently access shared data structures.
Remediation
Install update from vendor's website.