CVE-2026-23319
Published: 25 March 2026
Summary
CVE-2026-23319 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23319 is a use-after-free (UAF) vulnerability in the Linux kernel's BPF subsystem, specifically within the bpf_trampoline_link_cgroup_shim function. The issue arises when bpf_link_put reduces the refcount of shim_link->link.link to zero, marking the resource as released while it remains referenced via tr->progs_hlist in cgroup_shim_find. Cleanup of tr->progs_hlist is deferred to bpf_shim_tramp_link_release, creating a window for UAF exploitation by another process calling bpf_trampoline_link_cgroup_shim.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required (AV:L/AC:L/UI:N). Successful exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8. A proof-of-concept demonstrates reliable crashes via a race condition, as verified by introducing a delay in bpf_shim_tramp_link_release, which triggers the UAF almost 100% of the time pre-patch.
Mitigation is provided through kernel patches available in stable trees, including commits 3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2, 4e8a0005d633a4adc98e3b65d5080f93b90d356b, 529e685e522b9d7fb379dbe6929dcdf520e34c8c, 56145d237385ca0e7ca9ff7b226aaf2eb8ef368b, and 9b02c5c4147f8af8ed783c8deb5df927a55c3951. The fix adds an atomic non-zero refcount check in bpf_trampoline_link_cgroup_shim, ensuring the refcount is only incremented if not already zero, preventing the UAF. Post-patch testing confirms no crashes occur even after millions of iterations with the artificial delay.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15269
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but…
more
may still be referenced via 'tr->progs_hlist' in 'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in 'bpf_shim_tramp_link_release' is deferred. During this window, another process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'. Based on Martin KaFai Lau's suggestions, I have created a simple patch. To fix this: Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'. Only increment the refcount if it is not already zero. Testing: I verified the fix by adding a delay in 'bpf_shim_tramp_link_release' to make the bug easier to trigger: static void bpf_shim_tramp_link_release(struct bpf_link *link) { /* ... */ if (!shim_link->trampoline) return; + msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link, shim_link->trampoline, NULL)); bpf_trampoline_put(shim_link->trampoline); } Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in BPF subsystem directly enables privilege escalation via exploitation of the race condition for arbitrary kernel code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely application of kernel patches directly remediates the use-after-free vulnerability in bpf_trampoline_link_cgroup_shim caused by the refcount race condition.
Vulnerability scanning identifies Linux kernel versions affected by CVE-2026-23319, enabling prioritization of remediation for the BPF trampoline UAF.
Kernel memory protection mechanisms like KASLR and SMAP hinder exploitation of the UAF in the BPF cgroup shim even if the refcount race occurs.