CVE-2026-23319

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a UAF issue in bpftrampolinelinkcgroupshim

The root cause of this bug is that when 'bpflinkput' reduces the refcount of 'shimlink->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progshlist' in 'cgroupshimfind'. The actual cleanup of 'tr->progshlist' in 'bpfshimtramplinkrelease' is deferred. During this window, another process can cause a use-after-free via 'bpftrampolinelinkcgroup_shim'.

Based on Martin KaFai Lau's suggestions, I have created a simple patch.

To fix this: Add an atomic non-zero check in 'bpftrampolinelinkcgroupshim'. Only increment the refcount if it is not already zero.

Testing: I verified the fix by adding a delay in 'bpfshimtramplinkrelease' to make the bug easier to trigger:

static void bpfshimtramplinkrelease(struct bpflink link) { / ... */ if (!shimlink->trampoline) return;

• msleep(100); WARNONONCE(bpftrampolineunlinkprog(&shimlink->link, shimlink->trampoline, NULL)); bpftrampolineput(shimlink->trampoline); }

Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations.