{"id":80794,"date":"2026-06-19T18:13:33","date_gmt":"2026-06-19T14:43:33","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-52910-bpf-free-reuseport-cbpf-prog-after-rcu-grace-period\/"},"modified":"2026-06-19T18:13:33","modified_gmt":"2026-06-19T14:43:33","slug":"cve-2026-52910-bpf-free-reuseport-cbpf-prog-after-rcu-grace-period","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-52910-bpf-free-reuseport-cbpf-prog-after-rcu-grace-period\/","title":{"rendered":"CVE-2026-52910 &#8211; bpf: Free reuseport cBPF prog after RCU grace period."},"content":{"rendered":"<p>CVE ID :CVE-2026-52910<\/p>\n<p>  Published : June 19, 2026, 2:43 p.m. | 59\u00a0minutes ago<\/p>\n<p>  Description :In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>bpf: Free reuseport cBPF prog after RCU grace period.<\/p>\n<p>Eulgyu Kim reported the splat below with a repro. [0]\n<p>The repro sets up a UDP reuseport group with a cBPF prog and<br \/>\nreplaces it with a new one while another thread is sending<br \/>\na UDP packet to the group.<\/p>\n<p>The reuseport prog is freed by sk_reuseport_prog_free().<br \/>\nbpf_prog_put() is called for &#8220;e&#8221;BPF prog to destruct through<br \/>\nmultiple stages while cBPF prog is freed immediately by<br \/>\nbpf_release_orig_filter() and bpf_prog_free().<\/p>\n<p>If a reuseport prog is detached from the setsockopt() path<br \/>\n(reuseport_attach_prog() or reuseport_detach_prog()),<br \/>\nsk_reuseport_prog_free() is called without waiting for RCU<br \/>\nreaders to complete, resulting in various bugs.<\/p>\n<p>Let&#8217;s defer freeing the reuseport cBPF prog after one RCU<br \/>\ngrace period.<\/p>\n<p>Note &#8220;e&#8221;BPF prog is safe as is unless the fast path starts<br \/>\nto touch fields destroyed in bpf_prog_put_deferred() and<br \/>\n__bpf_prog_put_noref().<\/p>\n[0]:<br \/>\nBUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc\/0x1220 net\/core\/sock_reuseport.c:596<br \/>\nRead of size 4 at addr ffffc9000051e004 by task slowme\/10208<br \/>\nCPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)<br \/>\nHardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04\/01\/2014<br \/>\nCall Trace:<\/p>\n<p> dump_stack_lvl+0xe8\/0x150 lib\/dump_stack.c:120<br \/>\n print_address_description mm\/kasan\/report.c:378 [inline]\n print_report+0xca\/0x240 mm\/kasan\/report.c:482<br \/>\n kasan_report+0x118\/0x150 mm\/kasan\/report.c:595<br \/>\n reuseport_select_sock+0xedc\/0x1220 net\/core\/sock_reuseport.c:596<br \/>\n udp4_lib_lookup2+0x3bc\/0x950 net\/ipv4\/udp.c:495<br \/>\n __udp4_lib_lookup+0x768\/0xe20 net\/ipv4\/udp.c:723<br \/>\n __udp4_lib_lookup_skb+0x297\/0x390 net\/ipv4\/udp.c:752<br \/>\n __udp4_lib_rcv+0x1312\/0x2620 net\/ipv4\/udp.c:2752<br \/>\n ip_protocol_deliver_rcu+0x282\/0x440 net\/ipv4\/ip_input.c:207<br \/>\n ip_local_deliver_finish+0x3bb\/0x6f0 net\/ipv4\/ip_input.c:241<br \/>\n NF_HOOK+0x30c\/0x3a0 include\/linux\/netfilter.h:318<br \/>\n NF_HOOK+0x30c\/0x3a0 include\/linux\/netfilter.h:318<br \/>\n __netif_receive_skb_one_core net\/core\/dev.c:6181 [inline]\n __netif_receive_skb net\/core\/dev.c:6294 [inline]\n process_backlog+0xaa4\/0x1960 net\/core\/dev.c:6645<br \/>\n __napi_poll+0xae\/0x340 net\/core\/dev.c:7709<br \/>\n napi_poll net\/core\/dev.c:7772 [inline]\n net_rx_action+0x5d7\/0xf50 net\/core\/dev.c:7929<br \/>\n handle_softirqs+0x22b\/0x870 kernel\/softirq.c:622<br \/>\n do_softirq+0x76\/0xd0 kernel\/softirq.c:523<\/p>\n<p> __local_bh_enable_ip+0xf8\/0x130 kernel\/softirq.c:450<br \/>\n local_bh_enable include\/linux\/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include\/linux\/rcupdate.h:924 [inline]\n __dev_queue_xmit+0x1dd7\/0x3710 net\/core\/dev.c:4890<br \/>\n neigh_output include\/net\/neighbour.h:556 [inline]\n ip_finish_output2+0xca9\/0x1070 net\/ipv4\/ip_output.c:237<br \/>\n NF_HOOK_COND include\/linux\/netfilter.h:307 [inline]\n ip_output+0x29f\/0x450 net\/ipv4\/ip_output.c:438<br \/>\n ip_send_skb+0x45\/0xc0 net\/ipv4\/ip_output.c:1508<br \/>\n udp_send_skb+0xb04\/0x1510 net\/ipv4\/udp.c:1195<br \/>\n udp_sendmsg+0x1a71\/0x2350 net\/ipv4\/udp.c:1485<br \/>\n sock_sendmsg_nosec net\/socket.c:727 [inline]\n __sock_sendmsg net\/socket.c:742 [inline]\n __sys_sendto+0x554\/0x680 net\/socket.c:2206<br \/>\n __do_sys_sendto net\/socket.c:2213 [inline]\n __se_sys_sendto net\/socket.c:2209 [inline]\n __x64_sys_sendto+0xde\/0x100 net\/socket.c:2209<br \/>\n do_syscall_x64 arch\/x86\/entry\/syscall_64.c:63 [inline]\n do_syscall_64+0x160\/0xf80 arch\/x86\/entry\/syscall_64.c:94<br \/>\n entry_SYSCALL_64_after_hwframe+0x77\/0x7f<br \/>\nRIP: 0033:0x415a2d<br \/>\nCode: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05  3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48<br \/>\nRSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c<br \/>\nRAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d<br \/>\nRDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003<br \/>\nRBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010<br \/>\nR10: 0000000000000000 R11:<br \/>\n&#8212;truncated&#8212;<\/p>\n<p>  Severity: 0.0 | NA<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-52910 Published : June 19, 2026, 2:43 p.m. | 59\u00a0minutes ago Description :In the Linux kernel, the following vulnerability has been resolved: bpf: Free reuseport cBPF prog after RCU grace period. Eulgyu Kim reported the splat below with a repro. [0] The repro sets up a UDP reuseport group with a cBPF prog &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-80794","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/80794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=80794"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/80794\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=80794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=80794"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=80794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}