VYPR
patchPublished Jun 19, 2026· Updated Jun 20, 2026· 1 source

Linux Kernel: Three CVEs Disclosed June 19 — BPF, VTI, and RDMA Fixes

Key findings • CVE-2026-52910: Use-after-free in BPF reuseport cBPF program handling, reported with a reproducer • CVE-2026-52909: Missing netns_immutable flag in ip6_vti fallback device allo…

Key findings

  • CVE-2026-52910: Use-after-free in BPF reuseport cBPF program handling, reported with a reproducer
  • CVE-2026-52909: Missing netns_immutable flag in ip6_vti fallback device allows namespace escape
  • CVE-2026-52908: RDMA memory region re-registration fails to re-pin umem when access flags change
  • All three CVEs were patched in the mainline kernel on June 19, 2026
  • No active exploitation reported for any of the three vulnerabilities at disclosure time

Three security vulnerabilities were disclosed in the Linux kernel on June 19, 2026, spanning BPF, IPv6 VTI tunneling, and RDMA memory registration. The fixes, all merged into the mainline kernel tree, address use-after-free, namespace isolation, and memory-access compatibility issues that could lead to crashes or privilege escalation under specific conditions.

The most severe of the three is CVE-2026-52910, a use-after-free bug in the BPF subsystem's handling of reuseport groups with classic BPF (cBPF) programs. Eulgyu Kim reported the issue with a reproducer showing that replacing a cBPF program on a UDP reuseport group while another thread is concurrently sending a UDP packet can trigger a use-after-free. The root cause is that the old cBPF program is freed immediately, but a parallel socket dispatch path may still hold a reference to it. The fix defers the free via an RCU grace period, ensuring no in-flight references remain. This bug is exploitable for local privilege escalation in kernels with BPF enabled and reuseport groups in use.

CVE-2026-52909 affects the IPv6 VTI (Virtual Tunnel Interface) driver. Researchers john1988 and Noam Rathaus reported that vti6_init_net() does not set the netns_immutable flag on the per-network-namespace fallback tunnel device (ip6_vti0). Other tunnel drivers such as ip6_tunnel and sit already set this flag. Without it, a privileged user in a non-initial namespace could potentially move the fallback device to another namespace, breaking isolation guarantees. The fix adds the missing netns_immutable flag, hardening the VTI driver against namespace-crossing attacks.

CVE-2026-52908 addresses a memory-registration compatibility issue in the RDMA subsystem. When a memory region is re-registered with IB_MR_REREG_ACCESS and the access flags change from read-only (RO) to read-write (RW), the underlying umem (user memory) must be re-pinned as writable. Because the umem is stored inside each driver's private MR structure, the core RDMA stack cannot directly inspect it. The fix adds a new ib_umem function to re-evaluate and re-pin the memory when access flags change, preventing potential memory corruption or information leaks.

All three CVEs were published on June 19, 2026, within a 43-minute window, as part of the Linux kernel's regular stable release process. Patches are available in the mainline kernel repository. Users running stable or longterm kernels should update to the latest releases that include these commits. No in-the-wild exploitation has been reported for any of the three vulnerabilities at the time of disclosure.

For administrators, the BPF use-after-free (CVE-2026-52910) is the most actionable: systems using BPF-based load balancing or packet filtering with reuseport groups should prioritize this update. The VTI namespace issue (CVE-2026-52909) primarily affects containerized or multi-tenant environments using IPv6 VTI tunnels. The RDMA bug (CVE-2026-52908) is relevant to high-performance computing and storage clusters that rely on InfiniBand or RoCE. As always, applying the latest stable kernel update is the recommended mitigation.

Synthesized by Vypr AI