PatchSiren cyber security CVE debrief
CVE-2026-52938 Linux CVE debrief
A vulnerability was found in the Linux kernel, specifically related to a NULL pointer dereference in bpf_sk_storage_clone and diag paths. The issue arises when bpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist. A concurrent RCU reader in bpf_sk_storage_clone() can observe the selem still on the list with smap already NULL, causing a NULL pointer dereference. The vulnerability has been resolved by adding a NULL check for smap in bpf_sk_storage_clone(). This fix prevents the NULL pointer dereference by ensuring that the smap is validated before being used.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-24
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-06-24
- Advisory updated
- 2026-07-07
Who should care
Users of the Linux kernel should be aware of this vulnerability and take necessary actions to mitigate the risk. This includes reviewing system configurations, applying patches, and monitoring for updates. The vulnerability affects the Linux kernel and could potentially be exploited by attackers to cause a denial of service or execute arbitrary code.
Technical summary
The vulnerability is caused by a NULL pointer dereference in bpf_sk_storage_clone and diag paths. The issue arises when bpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist. A concurrent RCU reader in bpf_sk_storage_clone() can observe the selem still on the list with smap already NULL, causing a NULL pointer dereference. The fix involves adding a NULL check for smap in bpf_sk_storage_clone() and bpf_sk_storage_diag_put_all(). Additionally, bpf_sk_storage_diag_put() uses diag->maps[i] which is always valid under its refcount, so diag->maps[i] is passed directly to diag_get().
Defensive priority
High
Recommended defensive actions
- Apply the patch
- Monitor for updates
- Review system configurations
- Verify system exposure
- Check relevant monitoring and logs
- Track exceptions and retest remediated assets
Evidence notes
The vulnerability was resolved by adding a NULL check for smap in bpf_sk_storage_clone(). This fix addresses a NULL pointer dereference issue that occurs when bpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist, and a concurrent RCU reader in bpf_sk_storage_clone() observes the selem still on the list with smap already NULL. The fix ensures that the smap is validated before being used, preventing the NULL pointer dereference. Evidence is based on the Linux kernel patch notes and vulnerability analysis.
Official resources
-
CVE-2026-52938 CVE record
CVE.org
-
CVE-2026-52938 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-24T08:16:24.073Z and has not been modified since then.