CVE-2026-45838 Overview
CVE-2026-45838 is a Linux kernel vulnerability in the Berkeley Packet Filter (BPF) subsystem. The flaw resides in cgroup_storage_get_next_key(), where end-of-list detection relies on a NULL check that can never trigger. The function uses list_next_entry(), which wraps to the list head via container_of() rather than returning NULL when iteration reaches the last element. As a result, the function fails to return -ENOENT for the final entry and instead reads storage->key from a pointer aliasing internal map fields, copying that data to userspace.
Critical Impact
The defect leaks kernel memory contents from BPF map internals to unprivileged userspace when iterating cgroup storage keys.
Affected Products
- Linux kernel BPF subsystem (kernel/bpf/local_storage.c)
- Builds enabling BPF_MAP_TYPE_CGROUP_STORAGE
- Multiple stable branches referenced in upstream fix commits
Discovery Timeline
- 2026-05-27 - CVE-2026-45838 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45838
Vulnerability Analysis
The vulnerability sits in the get_next_key() callback for the cgroup storage BPF map type. The function iterates a linked list of storage entries to return the next key to userspace. The original code calls list_next_entry() on the current entry and then tests the result against NULL to detect end-of-list. That test is dead code.
list_next_entry() resolves the next pointer through container_of(), which performs pointer arithmetic relative to the list head. When the iterator reaches the tail, the next pointer points at the list head structure embedded inside the BPF map, not at a real list entry. The NULL check passes, and the function proceeds to dereference what it believes is a bpf_cgroup_storage structure.
The storage->key field is then read from an offset inside the map's internal fields. That memory is copied to the userspace buffer supplied to the bpf(BPF_MAP_GET_NEXT_KEY) syscall. The fix replaces the NULL check with list_entry_is_head(), which correctly compares the iterator against the list head sentinel.
Root Cause
The root cause is an incorrect end-of-list idiom. Developers treated list_next_entry() as if it returned NULL on exhaustion, mirroring the contract of other iterators. Linux circular doubly-linked lists do not signal termination through NULL — they wrap. This is a logic flaw producing Out-of-Bounds Read and Information Disclosure of adjacent kernel memory.
Attack Vector
A local process with permission to invoke bpf() syscalls and access a cgroup storage map can call BPF_MAP_GET_NEXT_KEY repeatedly until iteration reaches the last entry. The kernel then returns success with key bytes drawn from BPF map internal state rather than -ENOENT. The attacker reads the bytes from the userspace key buffer, obtaining a slice of kernel memory adjacent to the list head field. Repeated map manipulation can be used to influence what data sits at that offset.
The vulnerability mechanism is described in upstream commits — refer to the Linux Kernel Commit 32ce55d and Linux Kernel Commit fc39753b for the exact fix.
Detection Methods for CVE-2026-45838
Indicators of Compromise
- Unprivileged or low-privileged processes issuing repeated bpf(BPF_MAP_GET_NEXT_KEY) syscalls against cgroup storage maps
- Userspace programs creating BPF_MAP_TYPE_CGROUP_STORAGE maps outside expected workloads such as systemd or container runtimes
- Anomalous reads of BPF map keys followed by network exfiltration from the same process
Detection Strategies
- Audit bpf() syscall usage with auditd rules targeting BPF_MAP_GET_NEXT_KEY and BPF_MAP_CREATE with type BPF_MAP_TYPE_CGROUP_STORAGE
- Correlate process lineage and capability sets (CAP_BPF, CAP_SYS_ADMIN) against expected baselines for BPF map consumers
- Hunt for processes that iterate the same BPF map until receiving a success on what should be the terminal key
Monitoring Recommendations
- Forward kernel audit logs and eBPF activity to a centralized analytics platform for cross-host correlation
- Track kernel versions across the fleet and flag hosts running pre-patch builds against the fixed commit hashes
- Alert on new processes that load BPF programs and create cgroup storage maps outside known orchestrators
How to Mitigate CVE-2026-45838
Immediate Actions Required
- Apply the upstream kernel patch series and rebuild affected kernels, then reboot impacted hosts
- Inventory hosts where unprivileged users hold CAP_BPF or CAP_SYS_ADMIN and reduce that surface where possible
- Disable unprivileged BPF by setting kernel.unprivileged_bpf_disabled=1 until patched kernels are deployed
Patch Information
The fix replaces the dead NULL check with list_entry_is_head() in cgroup_storage_get_next_key(). Backports are available across stable trees in commits 32ce55d4, 5828b9e5, 85a2f30e, b4b5a20b, and fc39753b. Refer to the Linux Kernel Commit 85a2f30e and Linux Kernel Commit b4b5a20b for the stable backports applicable to your branch.
Workarounds
- Set kernel.unprivileged_bpf_disabled=1 via sysctl to block unprivileged BPF program loading
- Restrict CAP_BPF and CAP_SYS_ADMIN to trusted service accounts only
- Apply seccomp filters in container runtimes to block bpf() syscalls for workloads that do not require them
# Configuration example
# Disable unprivileged BPF until kernel is patched
sudo sysctl -w kernel.unprivileged_bpf_disabled=1
echo 'kernel.unprivileged_bpf_disabled=1' | sudo tee /etc/sysctl.d/90-bpf-hardening.conf
# Verify kernel version after patching
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
