DEBIAN-CVE-2026-23319

In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix a UAF issue in bpftrampolinelinkcgroupshim  The root cause of this bug is that when 'bpflinkput' reduces the refcount of 'shimlink->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progshlist' in 'cgroupshimfind'. The actual cleanup of 'tr->progshlist' in 'bpfshimtramplinkrelease' is deferred. During this window, another process can cause a use-after-free via 'bpftrampolinelinkcgroupshim'.  Based on Martin KaFai Lau's suggestions, I have created a simple patch.  To fix this:    Add an atomic non-zero check in 'bpftrampolinelinkcgroupshim'.    Only increment the refcount if it is not already zero.  Testing:    I verified the fix by adding a delay in    'bpfshimtramplinkrelease' to make the bug easier to trigger:  static void bpfshimtramplinkrelease(struct bpflink link) { / ... */ if (!shimlink->trampoline) return;  + msleep(100); WARNONONCE(bpftrampolineunlinkprog(&shimlink->link, shimlink->trampoline, NULL)); bpftrampolineput(shim_link->trampoline); }  Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations.