Skip to main content

Linux Kernel CVE-2026-43306

| EUVDEUVD-2026-28576 MEDIUM
2026-05-08 Linux GHSA-q637-vrq8-p3jv
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 22:30 vuln.today
CVSS changed
May 15, 2026 - 20:07 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 14:33 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: crypto: Use the correct destructor kfunc type

With CONFIG_CFI enabled, the kernel strictly enforces that indirect function calls use a function pointer type that matches the target function. I ran into the following type mismatch when running BPF self-tests:

CFI failure at bpf_obj_free_fields+0x190/0x238 (target: bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc) Internal error: Oops - CFI: 00000000f2008228 [#1] SMP ...

As bpf_crypto_ctx_release() is also used in BPF programs and using a void pointer as the argument would make the verifier unhappy, add a simple stub function with the correct type and register it as the destructor kfunc instead.

AnalysisAI

Local denial-of-service in Linux kernel BPF crypto subsystem allows authenticated attackers to crash the system via CFI policy violations. The vulnerability stems from a type mismatch in BPF's crypto destructor function when Control Flow Integrity (CONFIG_CFI) is enabled, causing kernel panics during object cleanup operations. Patches available across kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low likelihood of mass exploitation. No KEV listing or public exploits identified at time of analysis.

Technical ContextAI

This vulnerability affects the Linux kernel's Berkeley Packet Filter (BPF) crypto subsystem when compiled with Control Flow Integrity (CONFIG_CFI) enforcement. CFI is a security mitigation that validates indirect function calls match their target function's type signature at runtime. The bug occurs in bpf_obj_free_fields() which calls the destructor kfunc bpf_crypto_ctx_release(). The registered destructor type expects a void pointer parameter (standard for kfunc destructors), but bpf_crypto_ctx_release() uses a more specific struct type required by the BPF verifier. This type mismatch triggers CFI validation failures, resulting in kernel panics. The issue only manifests when CONFIG_CFI is enabled during kernel compilation, which is increasingly common in hardened Linux distributions. The fix introduces a type-correct stub wrapper function that satisfies both the CFI type checker and the BPF verifier's requirements.

RemediationAI

Upgrade to patched Linux kernel versions 6.12.75, 6.18.16, 6.19.6, or 7.0 or later, available from https://git.kernel.org/stable/. Patch commits 50d6fd69388cc7b05dce72f09080674dcede4ac9 (6.18.x), 4e3e57dbf46dad3498f8c4219ce2dba756875962 (6.12.x), b40a5d724f29fc2eed23ff353808a9aae616b48a (6.19.x), and 3979a550fe06b370d73647f59cf462fa525c9ec4 (7.0) introduce type-correct destructor stub functions. If immediate patching is not feasible, disable unprivileged BPF access via 'sysctl kernel.unprivileged_bpf_disabled=1' to prevent non-root users from triggering the vulnerability, though this breaks legitimate BPF applications including some observability tools. Alternatively, recompile kernel without CONFIG_CFI if organizational security policy permits, trading off CFI protection for stability, though this significantly weakens kernel exploit mitigations. Organizations using vendor-supported distributions should wait for official security updates rather than applying upstream patches directly to maintain support contracts.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy