Skip to main content

Linux Kernel CVE-2026-53078

| EUVDEUVD-2026-38946 HIGH
2026-06-24 Linux GHSA-pwr6-cvf5-35f3
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.3 HIGH

Local attacker needs BPF-load privilege (PR:L, AV:L) with a reliable trigger (AC:L); strong kernel-pointer/OOB info leak (C:H) and crash potential (A:H), with limited demonstrated write impact (I:L).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:06 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops

When a BPF sock_ops program accesses ctx fields with dst_reg == src_reg, the SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros fail to zero the destination register in the !fullsock / !locked_tcp_sock path.

Both macros borrow a temporary register to check is_fullsock / is_locked_tcp_sock when dst_reg == src_reg, because dst_reg holds the ctx pointer. When the check is false (e.g., TCP_NEW_SYN_RECV state with a request_sock), dst_reg should be zeroed but is not, leaving the stale ctx pointer:

  • SOCK_OPS_GET_SK: dst_reg retains the ctx pointer, passes NULL checks

as PTR_TO_SOCKET_OR_NULL, and can be used as a bogus socket pointer, leading to stack-out-of-bounds access in helpers like bpf_skc_to_tcp6_sock().

  • SOCK_OPS_GET_FIELD: dst_reg retains the ctx pointer which the

verifier believes is a SCALAR_VALUE, leaking a kernel pointer.

Fix both macros by:

  • Changing JMP_A(1) to JMP_A(2) in the fullsock path to skip the

added instruction.

  • Adding BPF_MOV64_IMM(si->dst_reg, 0) after the temp register

restore in the !fullsock path, placed after the restore because dst_reg == src_reg means we need src_reg intact to read ctx->temp.

AnalysisAI

Out-of-bounds read and kernel pointer leak in the Linux kernel's eBPF sock_ops subsystem lets a local low-privileged actor able to load BPF programs disclose kernel memory and corrupt kernel state. The SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros fail to zero the destination register on the !fullsock/!locked_tcp_sock path when dst_reg == src_reg, leaving a stale ctx pointer that the verifier mistakes for a valid socket or a scalar. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local BPF-load capability
Delivery
Load crafted sock_ops BPF program
Exploit
Drive TCP into TCP_NEW_SYN_RECV (!fullsock)
Execution
Trigger dst==src ctx read leaving stale pointer
Persist
Leak kernel pointer or OOB-read via socket helper
Impact
Defeat KASLR or crash kernel

Vulnerability AssessmentAI

Exploitation Exploitation requires the local ability to load and attach a BPF_PROG_TYPE_SOCK_OPS program (CAP_BPF/CAP_NET_ADMIN, or a system with unprivileged BPF enabled via kernel.unprivileged_bpf_disabled=0), and the program must access a ctx field using the SOCK_OPS_GET_SK / SOCK_OPS_GET_FIELD code path with dst_reg == src_reg. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a real but bounded, locally-scoped issue rather than an internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user (or a low-privileged container with BPF load rights) attaches a crafted sock_ops BPF program that reads a socket context field using the same register as source and destination, then drives a TCP connection into the TCP_NEW_SYN_RECV state so the !fullsock branch is taken. The program then either reads back the leaked kernel pointer to defeat KASLR or passes the stale ctx pointer to a helper like bpf_skc_to_tcp6_sock() to trigger a stack out-of-bounds access. …
Remediation Upstream fix available (commit); the released patched kernel version is not independently confirmed beyond the stable git commits, so apply your distribution's updated kernel package once it incorporates stable commits 18e3ffde1822f0b48b1753bf34aa97ce839df1d8 and 10f86a2a5c91fc4c4d001960f1c21abe52545ef6 (see https://git.kernel.org/stable/c/18e3ffde1822f0b48b1753bf34aa97ce839df1d8 and https://git.kernel.org/stable/c/10f86a2a5c91fc4c4d001960f1c21abe52545ef6). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory Linux systems and identify which allow unprivileged BPF program loading; assess exposure in containerized and multi-tenant environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy