CVE Catalog

CVE-2026-45838

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel, a vulnerability was found in the cgroup_storage_get_next_key() function in the BPF mechanism. The list_next_entry() function never returns NULL, making the NULL check dead code, and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer aliasing internal map fields and copying the result to userspace.

Risk Assessment

An attacker with privileges to perform BPF operations may gain access to unauthorized data from kernel maps, potentially leading to information disclosure or system integrity compromise.

Recommendation

Immediately update the Linux kernel to a version containing the fix that replaces list_next_entry() with list_entry_is_head() to correctly detect the end of the list and return -ENOENT.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroup_storage_get_next_key() list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace. Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS