Skip to main content

Linux Kernel EUVDEUVD-2026-26608

| CVE-2026-43009 HIGH
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:33 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26608
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix incorrect pruning due to atomic fetch precision tracking

When backtrack_insn encounters a BPF_STX instruction with BPF_ATOMIC and BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts as a destination, thus receiving the old value from the memory location.

The current backtracking logic does not account for this. It treats atomic fetch operations the same as regular stores where the src register is only an input. This leads the backtrack_insn to fail to propagate precision to the stack location, which is then not marked as precise!

Later, the verifier's path pruning can incorrectly consider two states equivalent when they differ in terms of stack state. Meaning, two branches can be treated as equivalent and thus get pruned when they should not be seen as such.

Fix it as follows: Extend the BPF_LDX handling in backtrack_insn to also cover atomic fetch operations via is_atomic_fetch_insn() helper. When the fetch dst register is being tracked for precision, clear it, and propagate precision over to the stack slot. For non-stack memory, the precision walk stops at the atomic instruction, same as regular BPF_LDX. This covers all fetch variants.

Before:

0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit

After:

0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0 mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1 mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit

AnalysisAI

Linux kernel BPF verifier incorrectly prunes execution paths due to imprecise state tracking in atomic fetch operations, allowing local attackers to bypass security checks in eBPF programs. The verifier's backtracking logic fails to mark stack slots as precise when BPF_ATOMIC instructions with BPF_FETCH modify both memory and destination registers, causing two legitimately different program states to be incorrectly considered equivalent during path pruning. Vendor patches available in kernel versions 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of mass exploitation, though successful exploitation grants high confidentiality, integrity, and availability impact per CVSS 7.8.

Technical ContextAI

The vulnerability affects the Linux kernel's extended Berkeley Packet Filter (eBPF) verifier, specifically the precision tracking mechanism used during program validation. eBPF allows user-space programs to run sandboxed code in kernel context for networking, tracing, and security monitoring. The verifier uses state pruning as an optimization-if two program states are deemed equivalent, one branch can be skipped. Precision tracking determines which registers and stack slots must be tracked exactly versus abstractly. BPF_ATOMIC instructions with BPF_FETCH (atomic_fetch_add, atomic_xchg, atomic_cmpxchg) perform read-modify-write operations where the source register simultaneously provides input AND receives the old memory value. The backtrack_insn() function, responsible for propagating precision requirements backward through the instruction stream, only handled these as stores (src as input only), not as loads (src as destination). This caused stack slots involved in atomic fetch operations to not be marked precise, violating the verifier's invariants. Affected code paths include all BPF program types using atomic operations with fetch semantics on stack memory, introduced in kernel 5.12 when atomic operations were added to eBPF.

RemediationAI

Upgrade to patched Linux kernel versions 6.19.12 (stable branch) or 7.0 (mainline) which include commit 179ee84a89114b854ac2dd1d293633a7f6c8dac1 and 7ffbe45b1d227e24659998a91cfd4c27af457e71. For distributions, apply vendor-provided security updates as they backport these fixes to supported kernel series. If immediate patching is not feasible, restrict eBPF program loading to only trusted root processes by disabling unprivileged BPF (sysctl kernel.unprivileged_bpf_disabled=1) and limiting CAP_BPF/CAP_SYS_ADMIN capabilities-note this breaks legitimate unprivileged eBPF use cases like unprivileged performance monitoring. For containerized environments, use seccomp profiles blocking the bpf() syscall for untrusted containers, though this prevents all in-container observability tools relying on eBPF. Verify applied patches by checking kernel version (uname -r) against vendor security bulletins. No documented workaround fully mitigates the issue without upgrading; capability restrictions reduce attack surface but do not address the verifier flaw itself.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy