CVE-2023-53790
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Zeroing allocated object from slab in bpf memory allocator
Currently the freed element in bpf memory allocator may be immediately reused, for htab map the reuse will reinitialize special fields in map value (e.g., bpf_spin_lock), but lookup procedure may still access these special fields, and it may lead to hard-lockup as shown below:
NMI backtrace for cpu 16 CPU: 16 PID: 2574 Comm: htab.bin Tainted: G L 6.1.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), RIP: 0010:queued_spin_lock_slowpath+0x283/0x2c0 ...... Call Trace:
copy_map_value_locked+0xb7/0x170 bpf_map_copy_value+0x113/0x3c0 __sys_bpf+0x1c67/0x2780 __x64_sys_bpf+0x1c/0x20 do_syscall_64+0x30/0x60 entry_SYSCALL_64_after_hwframe+0x46/0xb0 ......
For htab map, just like the preallocated case, these is no need to initialize these special fields in map value again once these fields have been initialized. For preallocated htab map, these fields are initialized through __GFP_ZERO in bpf_map_area_alloc(), so do the similar thing for non-preallocated htab in bpf memory allocator. And there is no need to use __GFP_ZERO for per-cpu bpf memory allocator, because __alloc_percpu_gfp() does it implicitly.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Linux kernel's BPF memory allocator can corrupt hash map spinlocks, leading to a hard lockup; fixed by zeroing reused slab objects.
Vulnerability
In the Linux kernel, the BPF memory allocator for hash maps (htab) reuses freed slab objects without zeroing them. When an element is freed and then immediately reused, the allocator leaves stale data, including special fields like bpf_spin_lock, in an inconsistent state. The lookup operation (copy_map_value_locked) may then access these corrupted spinlocks, causing a system-wide hard lockup. [1]
Exploitation
An authenticated local user able to create and manipulate BPF hash maps can trigger the condition. The race occurs on concurrent map accesses—a lookup_elem executing while the same element is being reused from the slab cache—without proper synchronization. No new capabilities or network access are required; the prerequisite is only CAP_BPF or permissions to use bpf system calls.
Impact
A successful exploitation leads to a denial of service (DoS) via an unrecoverable kernel lockup (NMI backtrace shown in the report). The flaw does not provide arbitrary code execution or privilege escalation, but the hard lockup can crash the entire system. Affected kernels include versions from the introduction of the BPF slab allocator until the fix was merged in stable updates. [2]
Mitigation
The fix initializes reused slab objects with __GFP_ZERO in the non-preallocated htab path, matching the behavior of the preallocated allocator. Per-CPU allocators already zero memory implicitly. The patch has been backported to stable kernel releases as shown in the referenced commits [1][2]. Users should update to the latest kernel containing this fix. No workaround short of disabling BPF is available.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
3997849c4b969678ea18d62405d447e04290eVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.