CVE-2026-45838 - Vulnerability Details

- bpf: fix end-of-list detection in cgroup_storage_get_next_key()

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: fix end-of-list detection in cgroup_storage_get_next_key()

list_next_entry() never returns NULL -- when the current element is the
last entry it wraps to the list head via container_of(). The subsequent
NULL check is therefore dead code and get_next_key() never returns
-ENOENT for the last element, instead reading storage->key from a bogus
pointer that aliases internal map fields and copying the result to
userspace.

Replace it with list_entry_is_head() so the function correctly returns
-ENOENT when there are no more entries.

Published: 2026-05-27

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< 0f3d9dd5e1fd52b39e25328307c6a694e994ffe3
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< 26d3339e465e54107bd85884341d1609c5300d6a
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< 2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< b4b5a20bed82130da2f2818f04d52378952fbd0b
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< 85a2f30e40f7468db732f55659bc6318874f49af
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< 32ce55d424395904986f5066f8755f6cb9993377
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< fc39753b7f92e09177777e9c648afe5aa3abb81f
`de9cbbaadba5adf88a19e46df61f7054000838f6`	affected	< 5828b9e5b272ecff7cf5d345128d3de7324117f7

Linux

affected

Version	Status	Constraints
`4.19`	affected	—
`0`	unaffected	< 4.19
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[de9cbbaadba5adf88a19e46df61f7054000838f6,b4b5a20bed82130da2f2818f04d52378952fbd0b)`	affected	code_commit	—
`[de9cbbaadba5adf88a19e46df61f7054000838f6,85a2f30e40f7468db732f55659bc6318874f49af)`	affected	code_commit	—
`[de9cbbaadba5adf88a19e46df61f7054000838f6,32ce55d424395904986f5066f8755f6cb9993377)`	affected	code_commit	—
`[de9cbbaadba5adf88a19e46df61f7054000838f6,fc39753b7f92e09177777e9c648afe5aa3abb81f)`	affected	code_commit	—
`[de9cbbaadba5adf88a19e46df61f7054000838f6,5828b9e5b272ecff7cf5d345128d3de7324117f7)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.19`	affected	semver	—
`[0,4.19)`	unaffected	semver	—
`[6.6.141,6.7.0)`	unaffected	semver	—
`[6.12.91,6.13.0)`	unaffected	semver	—
`[6.18.33,6.19.0)`	unaffected	semver	—
`[7.0.10,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6355-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00114.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0f3d9dd5e1fd52b39e25328307c6a694e994ffe3
https://git.kernel.org/stable/c/26d3339e465e54107bd85884341d1609c5300d6a
https://git.kernel.org/stable/c/2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6
https://git.kernel.org/stable/c/32ce55d424395904986f5066f8755f6cb9993377
https://git.kernel.org/stable/c/5828b9e5b272ecff7cf5d345128d3de7324117f7
https://git.kernel.org/stable/c/85a2f30e40f7468db732f55659bc6318874f49af
https://git.kernel.org/stable/c/b4b5a20bed82130da2f2818f04d52378952fbd0b
https://git.kernel.org/stable/c/fc39753b7f92e09177777e9c648afe5aa3abb81f
https://lore.kernel.org/linux-cve-announce/2026052711-CVE-2026-45838-9c3b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45838
https://www.cve.org/CVERecord?id=CVE-2026-45838

History

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/0f3d9dd5e1fd52b39e25328307c6a694e994ffe3 https://git.kernel.org/stable/c/26d3339e465e54107bd85884341d1609c5300d6a https://git.kernel.org/stable/c/2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6

Thu, 28 May 2026 05:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-200

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125
References		https://lore.kernel.org/linux-cve-announce/2026052711-CVE-2026-45838-9c3b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45838 https://www.cve.org/CVERecord?id=CVE-2026-45838
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 27 May 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-200

Wed, 27 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroup_storage_get_next_key() list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace. Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.
Title		bpf: fix end-of-list detection in cgroup_storage_get_next_key()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/32ce55d424395904986f5066f8755f6cb9993377 https://git.kernel.org/stable/c/5828b9e5b272ecff7cf5d345128d3de7324117f7 https://git.kernel.org/stable/c/85a2f30e40f7468db732f55659bc6318874f49af https://git.kernel.org/stable/c/b4b5a20bed82130da2f2818f04d52378952fbd0b https://git.kernel.org/stable/c/fc39753b7f92e09177777e9c648afe5aa3abb81f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T09:24:36.561Z

Updated: 2026-06-14T17:46:05.613Z

Reserved: 2026-05-13T15:03:33.077Z

Link: CVE-2026-45838

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T11:16:23.130

Modified: 2026-06-17T10:52:35.020

Link: CVE-2026-45838

Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45838 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T06:30:10Z

Weaknesses

CWE-125

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object