SB2026062559 - Use-after-free in Linux kernel bpf
Published: June 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Use-after-free (CVE-ID: CVE-2026-53089)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in bpf_map_offload_info_fill_ns() and bpf_prog_offload_info_fill_ns() when querying info for an offloaded BPF map or program during network namespace destruction. A local user can query crafted offloaded BPF map or program information to cause a denial of service.
The issue occurs because the associated network namespace may be racing with teardown and its reference count may already have reached zero.
Remediation
Install update from vendor's website.