Linux Kernel Vulnerability in BPF Accessing Race Conditions
CVE-2026-23294

7HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 25 March 2026

What is CVE-2026-23294?

A race condition exists in the Linux kernel’s BPF when used in PREEMPT_RT configurations, where concurrent access from multiple preemptible tasks can lead to double-free errors and use-after-free vulnerabilities. This happens due to the incorrect assumption that certain functions run atomically, which is violated by the nature of task preemption in these configurations. The flaw impacts several areas, including potential corruption of internal data structures and the ability for tasks to improperly share data. The introduction of a locking mechanism will help serialize accesses to critical structures, addressing these vulnerabilities effectively.

Affected Version(s)

Linux 3253cb49cbad4772389d6ef55be75db1f97da910 < 6c10b019785dc282c5f45d21e4a3f468b8fd6476

Linux 3253cb49cbad4772389d6ef55be75db1f97da910

Linux 3253cb49cbad4772389d6ef55be75db1f97da910 < 1872e75375c40add4a35990de3be77b5741c252c

References

https://git.kernel.org/stable/c/6c10b019785dc282c5f45d21e...

https://git.kernel.org/stable/c/ab1a56c9d99189aa5c6e03940...

https://git.kernel.org/stable/c/1872e75375c40add4a35990de...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2026
Vulnerability Reserved
Jan 13, 2026

CVE-2026-23294 Data

JSON