VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2023-54086

CVE-2023-54086

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Add preempt_count_{sub,add} into btf id deny list

The recursion check in __bpf_prog_enter* and __bpf_prog_exit* leave preempt_count_{sub,add} unprotected. When attaching trampoline to them we get panic as follows,

[ 867.843050] BUG: TASK stack guard page was hit at 0000000009d325cf (stack is 0000000046a46a15..00000000537e7b28) [ 867.843064] stack guard page: 0000 [#1] PREEMPT SMP NOPTI [ 867.843067] CPU: 8 PID: 11009 Comm: trace Kdump: loaded Not tainted 6.2.0+ #4 [ 867.843100] Call Trace: [ 867.843101] [ 867.843104] asm_exc_int3+0x3a/0x40 [ 867.843108] RIP: 0010:preempt_count_sub+0x1/0xa0 [ 867.843135] __bpf_prog_enter_recur+0x17/0x90 [ 867.843148] bpf_trampoline_6442468108_0+0x2e/0x1000 [ 867.843154] ? preempt_count_sub+0x1/0xa0 [ 867.843157] preempt_count_sub+0x5/0xa0 [ 867.843159] ? migrate_enable+0xac/0xf0 [ 867.843164] __bpf_prog_exit_recur+0x2d/0x40 [ 867.843168] bpf_trampoline_6442468108_0+0x55/0x1000 ... [ 867.843788] preempt_count_sub+0x5/0xa0 [ 867.843793] ? migrate_enable+0xac/0xf0 [ 867.843829] __bpf_prog_exit_recur+0x2d/0x40 [ 867.843837] BUG: IRQ stack guard page was hit at 0000000099bd8228 (stack is 00000000b23e2bc4..000000006d95af35) [ 867.843841] BUG: IRQ stack guard page was hit at 000000005ae07924 (stack is 00000000ffd69623..0000000014eb594c) [ 867.843843] BUG: IRQ stack guard page was hit at 00000000028320f0 (stack is 00000000034b6438..0000000078d1bcec) [ 867.843842] bpf_trampoline_6442468108_0+0x55/0x1000 ...

That is because in __bpf_prog_exit_recur, the preempt_count_{sub,add} are called after prog->active is decreased.

Fixing this by adding these two functions into btf ids deny list.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A Linux kernel BPF bug leaves preempt_count_{add,sub} unprotected, allowing a trampoline attachment that triggers a kernel panic via stack guard page hits.

Vulnerability

A recursion-safety oversight in the BPF subsystem leaves the preempt_count_sub and preempt_count_add helper functions exposed to trampoline attachment. The kernel's __bpf_prog_enter_recur and __bpf_prog_exit_recur functions, which manage the per-program recursion counter, call these preemption-count helpers after the recursion guard (prog->active) has already been decremented. This ordering creates a window where a BPF trampoline attached to preempt_count_sub or preempt_count_add can be invoked during that unprotected state, leading to an infinite recursion that exhausts the kernel stack.

Exploitation

An attacker with the ability to load and attach BPF programs (i.e., having CAP_BPF or sufficient privileges) can target the preempt_count_sub or preempt_count_add functions with a trampoline. The attack does not require any user interaction beyond loading a specially crafted BPF program. By triggering the unprotected code paths in __bpf_prog_exit_recur (for example, through a BPF program that returns early or recurses), the attached trampoline will re-enter the same function, causing repeated stack guard page hits and eventually a kernel panic [1][2].

Impact

The vulnerability results in a denial of service (system crash) via a kernel panic. The crash trace shows multiple concurrent "BUG: stack guard page was hit" messages for both the task stack and IRQ stacks, indicating that the recursion can rapidly consume available kernel stack space. No privilege escalation or data leak is described in the source material.

Mitigation

The fix, introduced in Linux kernel commits [1] and [2], adds both preempt_count_sub and preempt_count_add to the BTF ID deny list, preventing BPF trampolines from being attached to these functions. Administrators should apply the updated kernel from their distribution's stable release. No workaround is available without patching, as the bug exists in the core BPF trampoline logic.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
095018267c87
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
60039bf72f81
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
b9168d41b83d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c11bd046485d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.