Skip to main content

Linux Kernel CVE-2026-53076

| EUVDEUVD-2026-38944 HIGH
2026-06-24 Linux GHSA-645x-23wh-rhvm
7.1
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
7.1 HIGH

Local trigger via the bpf() syscall (AV:L) with low complexity, but requires BPF map-creation privilege (PR:L); OOB read leaks kernel memory (C:H) and can crash the host (A:H) with no integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:04 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.1 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 7.1
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix OOB in pcpu_init_value

An out-of-bounds read occurs when copying element from a BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the same value_size that is not rounded up to 8 bytes.

The issue happens when:

  1. A CGROUP_STORAGE map is created with value_size not aligned to

8 bytes (e.g., 4 bytes)

  1. A pcpu map is created with the same value_size (e.g., 4 bytes)
  2. Update element in 2 with data in 1

pcpu_init_value assumes that all sources are rounded up to 8 bytes, and invokes copy_map_value_long to make a data copy, However, the assumption doesn't stand since there are some cases where the source may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data. the verifier verifies exactly the size that the source claims, not the size rounded up to 8 bytes by kernel, an OOB happens when the source has only 4 bytes while the copy size(4) is rounded up to 8.

AnalysisAI

Out-of-bounds kernel memory read in the Linux kernel's eBPF subsystem (pcpu_init_value) lets a local, low-privileged user with BPF access leak adjacent kernel memory and potentially crash the system. The flaw triggers when a per-CPU map is updated from a BPF_MAP_TYPE_CGROUP_STORAGE map whose value_size is not 8-byte aligned (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local BPF access (CAP_BPF or unprivileged BPF)
Delivery
Create CGROUP_STORAGE map with 4-byte value_size
Exploit
Create per-CPU map of same value_size
Execution
Update per-CPU element from storage map
Persist
pcpu_init_value over-reads source by 4 bytes
Impact
Leak adjacent kernel memory or crash host

Vulnerability AssessmentAI

Exploitation Exploitation requires local access plus the privilege to create and update BPF maps (CAP_BPF/CAP_SYS_ADMIN, or a host with unprivileged BPF enabled - PR:L in the vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent and point to a moderate, local-only issue rather than an urgent remote threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with the ability to load BPF programs (e.g. an unprivileged-BPF-enabled host or a container delegated CAP_BPF) creates a CGROUP_STORAGE map with a 4-byte value_size and a per-CPU map with the same value_size, then updates the per-CPU map using the storage map's element. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 6.6.141, 6.12.91, 6.18.33, or 7.0.10 (or later on the matching branch), or apply your distribution's backport of the corresponding fix commits (e19c5ed9f192 / e0378419b0e2 / 6086079e6d1c / 634a793d0e1c / 576afddfee8d) referenced at https://git.kernel.org/stable/c/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running vulnerable Linux kernel versions, prioritizing cloud and container platforms. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53076 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy