PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-52938 Linux CVE debrief

A vulnerability was found in the Linux kernel, specifically related to a NULL pointer dereference in bpf_sk_storage_clone and diag paths. The issue arises when bpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist. A concurrent RCU reader in bpf_sk_storage_clone() can observe the selem still on the list with smap already NULL, causing a NULL pointer dereference. The vulnerability has been resolved by adding a NULL check for smap in bpf_sk_storage_clone(). This fix prevents the NULL pointer dereference by ensuring that the smap is validated before being used.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-24
Original CVE updated
2026-07-07
Advisory published
2026-06-24
Advisory updated
2026-07-07

Who should care

Users of the Linux kernel should be aware of this vulnerability and take necessary actions to mitigate the risk. This includes reviewing system configurations, applying patches, and monitoring for updates. The vulnerability affects the Linux kernel and could potentially be exploited by attackers to cause a denial of service or execute arbitrary code.

Technical summary

The vulnerability is caused by a NULL pointer dereference in bpf_sk_storage_clone and diag paths. The issue arises when bpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist. A concurrent RCU reader in bpf_sk_storage_clone() can observe the selem still on the list with smap already NULL, causing a NULL pointer dereference. The fix involves adding a NULL check for smap in bpf_sk_storage_clone() and bpf_sk_storage_diag_put_all(). Additionally, bpf_sk_storage_diag_put() uses diag->maps[i] which is always valid under its refcount, so diag->maps[i] is passed directly to diag_get().

Defensive priority

High

Recommended defensive actions

  • Apply the patch
  • Monitor for updates
  • Review system configurations
  • Verify system exposure
  • Check relevant monitoring and logs
  • Track exceptions and retest remediated assets

Evidence notes

The vulnerability was resolved by adding a NULL check for smap in bpf_sk_storage_clone(). This fix addresses a NULL pointer dereference issue that occurs when bpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist, and a concurrent RCU reader in bpf_sk_storage_clone() observes the selem still on the list with smap already NULL. The fix ensures that the smap is validated before being used, preventing the NULL pointer dereference. Evidence is based on the Linux kernel patch notes and vulnerability analysis.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-24T08:16:24.073Z and has not been modified since then.