Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Local trigger via the bpf() syscall (AV:L) with low complexity, but requires BPF map-creation privilege (PR:L); OOB read leaks kernel memory (C:H) and can crash the host (A:H) with no integrity impact.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix OOB in pcpu_init_value
An out-of-bounds read occurs when copying element from a BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the same value_size that is not rounded up to 8 bytes.
The issue happens when:
- A CGROUP_STORAGE map is created with value_size not aligned to
8 bytes (e.g., 4 bytes)
- A pcpu map is created with the same value_size (e.g., 4 bytes)
- Update element in 2 with data in 1
pcpu_init_value assumes that all sources are rounded up to 8 bytes, and invokes copy_map_value_long to make a data copy, However, the assumption doesn't stand since there are some cases where the source may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data. the verifier verifies exactly the size that the source claims, not the size rounded up to 8 bytes by kernel, an OOB happens when the source has only 4 bytes while the copy size(4) is rounded up to 8.
AnalysisAI
Out-of-bounds kernel memory read in the Linux kernel's eBPF subsystem (pcpu_init_value) lets a local, low-privileged user with BPF access leak adjacent kernel memory and potentially crash the system. The flaw triggers when a per-CPU map is updated from a BPF_MAP_TYPE_CGROUP_STORAGE map whose value_size is not 8-byte aligned (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access plus the privilege to create and update BPF maps (CAP_BPF/CAP_SYS_ADMIN, or a host with unprivileged BPF enabled - PR:L in the vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a moderate, local-only issue rather than an urgent remote threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with the ability to load BPF programs (e.g. an unprivileged-BPF-enabled host or a container delegated CAP_BPF) creates a CGROUP_STORAGE map with a 4-byte value_size and a per-CPU map with the same value_size, then updates the per-CPU map using the storage map's element. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 6.6.141, 6.12.91, 6.18.33, or 7.0.10 (or later on the matching branch), or apply your distribution's backport of the corresponding fix commits (e19c5ed9f192 / e0378419b0e2 / 6086079e6d1c / 634a793d0e1c / 576afddfee8d) referenced at https://git.kernel.org/stable/c/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running vulnerable Linux kernel versions, prioritizing cloud and container platforms. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38944
GHSA-645x-23wh-rhvm