CVE-2026-23342 Overview
A race condition vulnerability has been identified in the Linux kernel's BPF cpumap implementation affecting systems running PREEMPT_RT kernels. The vulnerability exists in the per-CPU xdp_bulk_queue (bq) structure, which can be accessed concurrently by multiple preemptible tasks on the same CPU due to improper synchronization mechanisms.
On PREEMPT_RT kernels, local_bh_disable() only calls migrate_disable() rather than disabling preemption entirely. This allows CFS scheduling to preempt a task during bq_flush_to_queue(), enabling another task on the same CPU to enter bq_enqueue() and operate on the same per-CPU bq concurrently, leading to memory corruption and potential kernel crashes.
Critical Impact
This race condition can lead to double list deletion operations, kernel NULL pointer dereference crashes, and potential memory corruption in the BPF cpumap subsystem on PREEMPT_RT-enabled Linux kernels.
Affected Products
- Linux Kernel with PREEMPT_RT enabled
- Systems utilizing BPF cpumap functionality
- XDP (eXpress Data Path) implementations on RT kernels
Discovery Timeline
- 2026-03-25 - CVE-2026-23342 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23342
Vulnerability Analysis
The vulnerability stems from a fundamental assumption in the original code design that bq_enqueue() and __cpu_map_flush() would run atomically with respect to each other on the same CPU. This assumption relied on local_bh_disable() to prevent preemption. However, on PREEMPT_RT kernels, this mechanism behaves differently—it only disables migration rather than preemption when PREEMPT_RT_NEEDS_BH_LOCK is not set.
This design flaw allows multiple preemptible tasks to access the same per-CPU xdp_bulk_queue structure simultaneously, creating several dangerous race conditions:
Double __list_del_clearprev() race: After bq->count is reset in bq_flush_to_queue(), a preempting task can call bq_enqueue() followed by its own bq_flush_to_queue() on the same bq when bq->count reaches CPU_MAP_BULK_SIZE. Both tasks then attempt to call __list_del_clearprev() on the same bq->flush_node, where the second call dereferences the prev pointer that was already set to NULL by the first operation.
Queue corruption race: Concurrent bq_enqueue() operations can corrupt the packet queue (bq->q[]) while bq_flush_to_queue() is actively processing it.
Root Cause
The root cause is the reliance on local_bh_disable() for serialization, which does not provide the expected atomicity guarantees on PREEMPT_RT kernels. The per-CPU xdp_bulk_queue structure lacks proper locking to handle the preemptible nature of PREEMPT_RT, allowing tasks to be scheduled out in the middle of critical operations and permitting concurrent access to shared data structures.
Attack Vector
The vulnerability is triggered through normal BPF cpumap operations on PREEMPT_RT-enabled kernels. The race occurs between XDP flush operations (xdp_do_flush -> bq_flush_to_queue) and CPU map enqueue operations (cpu_map_enqueue -> bq_enqueue -> bq_flush_to_queue) running on the same CPU but in different preemptible contexts.
The race sequence demonstrates how Task A can be preempted by CFS scheduling after resetting bq->count but before completing __list_del_clearprev(), allowing Task B to complete its own flush operation first. When Task A resumes and attempts to dereference flush_node.prev, it encounters a NULL pointer, resulting in a kernel oops.
The vulnerability can be reliably reproduced by inserting an mdelay(100) between bq->count = 0 and __list_del_clearprev() in bq_flush_to_queue(), then running the reproducer provided by syzkaller. This artificial delay widens the race window to make the condition deterministic.
Detection Methods for CVE-2026-23342
Indicators of Compromise
- Kernel oops messages referencing NULL pointer dereference in BPF cpumap code paths
- System crashes or panics occurring during XDP packet processing on PREEMPT_RT systems
- Stack traces showing bq_flush_to_queue() or __cpu_map_flush() functions
- Memory corruption symptoms in XDP or BPF-related subsystems
Detection Strategies
- Monitor kernel logs for NULL pointer dereference crashes in bq_flush_to_queue or __list_del_clearprev functions
- Check for PREEMPT_RT kernel configuration (CONFIG_PREEMPT_RT=y) combined with active BPF cpumap usage
- Review system logs for unexpected kernel oops events during high network throughput scenarios
- Audit running kernel version against patched versions in the official kernel git commits
Monitoring Recommendations
- Implement kernel crash dump analysis to capture stack traces when NULL pointer dereferences occur
- Deploy kernel tracing (ftrace or eBPF-based) on bq_enqueue and bq_flush_to_queue to detect concurrent execution patterns
- Monitor system stability metrics on PREEMPT_RT nodes utilizing XDP functionality
- Set up alerts for kernel panic events on systems running affected configurations
How to Mitigate CVE-2026-23342
Immediate Actions Required
- Identify all Linux systems running PREEMPT_RT kernels with BPF cpumap or XDP functionality enabled
- Prioritize patching for systems with high network throughput that actively use XDP for packet processing
- Apply the kernel patches from the official git commits to affected systems
- Consider temporarily disabling XDP/cpumap functionality on critical PREEMPT_RT systems until patches are applied
Patch Information
The fix introduces a local_lock_t to the xdp_bulk_queue structure, which is acquired in both bq_enqueue() and __cpu_map_flush(). The implementation uses local_lock_nested_bh(), which provides no overhead on non-RT kernels (serving only as an annotation) while providing proper per-CPU sleeping lock serialization on PREEMPT_RT systems.
Official patches are available through the kernel git repository:
Workarounds
- Disable PREEMPT_RT configuration (CONFIG_PREEMPT_RT) if real-time scheduling is not strictly required
- Avoid using BPF cpumap functionality on PREEMPT_RT-enabled systems until the kernel is patched
- Consider using standard preemption models (CONFIG_PREEMPT or CONFIG_PREEMPT_VOLUNTARY) as an alternative
- Implement network processing in user space rather than XDP for critical systems awaiting patches
# Check if PREEMPT_RT is enabled on your system
grep -i preempt_rt /boot/config-$(uname -r)
# Verify current kernel version
uname -r
# Check for BPF cpumap usage
bpftool map list | grep cpumap
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
