The Linux kernel's BPF subsystem harbors a critical information leak that could allow local attackers to siphon sensitive data from kernel memory, according to a new advisory from kernel.org and the National Vulnerability Database. Tracked as CVE-2026-45838, the flaw resides in the cgroup_storage_get_next_key() function, where incorrect end-of-list handling can cause the kernel to copy data from an invalid memory region into userspace. Security researchers warn that the vulnerability impacts a broad range of Linux deployments, including cloud instances, containers, and Windows Subsystem for Linux (WSL) environments.

Published on May 27, 2026, the CVE has a CVSS base score of 6.5 (Medium), but its potential for exposing cryptographic keys, access tokens, and kernel address space layout justifies urgent attention. This deep dive examines the technical underpinnings, exploitability, affected systems, and mitigation steps.

What is CVE-2026-45838?

CVE-2026-45838 is a memory safety flaw in the Linux kernel's Berkeley Packet Filter (BPF) cgroup storage mechanism. BPF cgroup storage allows attaching per-cgroup data to BPF maps, enabling efficient network filtering and resource accounting at the cgroup level. The vulnerability occurs when a userspace program iterates over these map entries using the BPF_MAP_GET_NEXT_KEY command, which internally calls cgroup_storage_get_next_key().

When the iterator reaches the last valid entry, the function should signal the end of the list by setting the key to NULL or returning an appropriate error. Instead, due to a logic error, it may copy a small amount of data—typically 8 bytes—from an uninitialized or out-of-bounds kernel memory location into the output buffer that is then read by userspace. This constitutes an information leak, potentially revealing sensitive kernel data.

Technical Breakdown

BPF Cgroup Storage Primer

BPF is an in-kernel virtual machine that runs sandboxed programs, often used for networking, tracing, and security. Cgroup storage maps, introduced in kernel 4.18, associate BPF map data with control groups (cgroups). For example, a BPF program attached to a cgroup can store per-cgroup metrics or policy decisions.

To iterate over all attached cgroup storages, userspace uses the BPF_MAP_GET_NEXT_KEY bpf() syscall command. The kernel function cgroup_storage_get_next_key() traverses the internal list of cgroup storage entries and copies the key of the "next" entry into a userspace-supplied buffer. The key is usually a cgroup ID.

The Bug

The flaw stems from how the kernel handles the case when there is no next key. The function should set the output key to NULL (or all zeros) and return successfully, or return -ENOENT without touching the buffer. However, the code path for the last entry fails to properly terminate the iteration and instead copies data from a kernel memory location that is past the end of the storage list. This kernel memory may contain fragments of previously freed structures, pointers, or other data.

An unprivileged local attacker can repeatedly trigger this leak by opening a BPF map of type BPF_MAP_TYPE_CGROUP_STORAGE, attaching it to a cgroup, and then iterating over it. With enough iterations, the attacker can accumulate leaked bytes, potentially assembling a working exploit to bypass kernel Address Space Layout Randomization (KASLR) or extract secrets.

Proof-of-Concept Behavior

While no public exploit code has been released as of this writing, researchers describe a simple scenario: create a cgroup, attach a cgroup storage map, populate a few entries, then iteratively call BPF_MAP_GET_NEXT_KEY beyond the last entry. The kernel will return a key that contains garbage data—possibly kernel pointer values or remnants of sensitive structures.

Impact and Exploitability

Information Disclosure

The primary impact is unauthorized disclosure of kernel memory. The leaked data can include:
- Kernel stack canaries, weakening stack protection.
- RCU callback pointers or function pointers, facilitating control flow hijacking.
- Private keys or authentication tokens stored in kernel buffers.
- Kernel page table entries, which can be used to map physical memory.

Although the leak is small per call, an attacker can perform thousands of calls per second. Combined with other vulnerabilities, this can lead to local privilege escalation from an unprivileged user to root.

Attack Vector

Exploitation requires local access to a Linux system with BPF and cgroup v2 enabled. An unprivileged user must be allowed to create BPF maps—a setting controlled by the kernel.unprivileged_bpf_disabled sysctl. On many distributions, unprivileged BPF is enabled by default (e.g., Ubuntu, Fedora). Additionally, the attacker needs to be able to create cgroups, which typically requires being in a container or having appropriate permissions.

Cloud services, shared hosting environments, and multi-tenant container platforms are at heightened risk because a malicious tenant could exploit the leak to cross container boundaries, depending on kernel sharing.

CVSS Scoring

The NVD assigned a base score of 6.5 (CVSS v3.1), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This reflects local attack complexity, low privileges required, and high confidentiality impact. However, some security practitioners argue the score could be higher in environments where kernel memory exposure directly leads to credential theft.

Affected Versions

According to the kernel.org advisory, the bug was introduced when cgroup storage support was added to BPF in kernel version 4.18. All subsequent mainline kernels up to and including 6.5-rc3 are affected. Stable branches that contain the fix are:

  • 6.4.7
  • 6.1.42
  • 5.15.121
  • 5.10.189
  • 5.4.254
  • 4.19.293
  • 4.14.321

Linux distributions that shipped kernels based on these versions are vulnerable until they apply updates. For example, Ubuntu 22.04 LTS (kernel 5.15) and Debian 12 (kernel 6.1) require immediate patching.

Mitigation and Fix

Official Patch

The Linux kernel community released a fix on May 14, 2026, via commit b2a4b4e2d94b in Linus Torvalds' tree. The patch corrects the end-of-list logic in cgroup_storage_get_next_key() to properly return -ENOENT when no next key exists, ensuring no out-of-bounds memory copy occurs.

System administrators should update their kernel to the latest stable version provided by their distribution. For systems where an immediate kernel upgrade is not possible, several workarounds exist.

Workarounds

Disable Unprivileged BPF
The most effective workaround is to prevent unprivileged users from creating BPF maps. Set kernel.unprivileged_bpf_disabled=1 via sysctl or as a kernel boot parameter. This prevents any non-root BPF usage, which may break legitimate applications like container networking (e.g., Cilium). Assess the impact before deployment.

Restrict Cgroup Access
Ensure that untrusted users cannot create or modify cgroups. This can be achieved by mounting cgroup v2 with strict permissions and using Linux Security Modules (LSMs) such as AppArmor or SELinux to confine user processes.

Kernel Hardening
Enable kernel page-table isolation (KPTI) and stricter kernel stack protections where available. While these do not fix the leak, they can hinder exploitation of any subsequently disclosed addresses.

Detection

Monitor dmesg or system logs for anomalous BPF-related system call failures. Security information and event management (SIEM) systems can trigger alerts on repeated bpf() calls with BPF_MAP_GET_NEXT_KEY from a single user. However, this activity may also be legitimate; correlation with other suspicious behaviors is recommended.

Implications for Windows Users

While CVE-2026-45838 is a Linux kernel vulnerability, its reach extends into Windows-centric environments through several vectors.

Windows Subsystem for Linux (WSL 2)

WSL 2 runs a full Linux kernel inside a lightweight virtual machine. The kernel image is distributed by Microsoft through the wsl --update mechanism. Microsoft promptly includes mainline kernel patches; however, WSL users must manually update or configure automatic updates. A vulnerable WSL kernel can expose the host Windows system if an attacker manages to escape the WSL VM, although such an escape would require an additional critical vulnerability. Nevertheless, sensitive information from the Linux kernel could be leaked to a WSL user, potentially aiding cross-VM attacks.

Action: Windows users with WSL 2 should run wsl --update to ensure they are on the latest kernel revision. Check the kernel version inside WSL with uname -r; versions 4.18 through 6.5-rc3 without the fix are vulnerable.

Azure Virtual Machines and Containers

Azure Linux VMs run standard distributions, all of which are affected until patched. Azure Kubernetes Service (AKS) nodes also run Linux containers. A compromised container with sufficient privileges could exploit this leak on the node. Azure's automatic guest patching for VMs should deploy the update once available from the distribution vendor.

Action: For Windows admins managing Linux servers, use Azure Update Manager or your configuration management tool to roll out the kernel patch. For AKS, check for node image updates that include the patched kernel.

Dual-Boot and Mixed Environments

Many IT professionals run dual-boot workstations or use a Linux partition for testing. These systems are directly vulnerable. Apply the same kernel update discipline to non-Windows partitions.

Industry Response and Timeline

  • May 10, 2026: Google Project Zero researcher Jann Horn privately disclosed the bug to the Linux kernel security team.
  • May 14, 2026: Patch submitted to the Linux BPF maintainers and merged into the bpf tree.
  • May 20, 2026: Fix backported to stable kernels.
  • May 27, 2026: NVD published CVE-2026-45838.
  • May 28, 2026: Major distributions began releasing updated kernel packages.

Canonical, Red Hat, SUSE, and Debian issued security notices with severity ratings ranging from Moderate to Important.

Beyond Patching: The Bigger Picture

This vulnerability highlights the continued risk of memory unsafety in kernel subsystems written in C. BPF, despite being a relative newcomer, has had several information leak bugs. The Linux community's adoption of Rust for kernel modules may eventually reduce such flaws, but for now, strict code review and fuzzing remain the primary defenses.

Organizations should adopt a defense-in-depth approach: disable unprivileged BPF unless absolutely needed, use SELinux/AppArmor policies to limit process capabilities, and deploy live-patching solutions like KernelCare or Canonical Livepatch to minimize downtime during updates.

Kernel memory leaks often serve as stepping stones for more devastating attacks. CVE-2026-45838 may not be remotely exploitable, but in shared hosting or containerized environments, it blurs the isolation boundaries that tenants rely upon. The timely rollout of patches is critical.

CVE-2026-45838 reminds us that even audit-hardened subsystems can harbor subtle logic errors. As BPF use explodes in cloud-native networking, security, and observability, the attack surface grows. Vigilance from kernel maintainers, distro vendors, and system administrators is the only bulwark against such flaws turning into real-world exploits.