Skip to main content

Linux Kernel EUVDEUVD-2026-26609

| CVE-2026-43010 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 07, 2026 - 23:00 vuln.today
CVSS changed
May 07, 2026 - 20:37 NVD
5.5 (MEDIUM)
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26609
CVE Published
May 01, 2026 - 14:15 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

bpf: Reject sleepable kprobe_multi programs at attach time

kprobe.multi programs run in atomic/RCU context and cannot sleep. However, bpf_kprobe_multi_link_attach() did not validate whether the program being attached had the sleepable flag set, allowing sleepable helpers such as bpf_copy_from_user() to be invoked from a non-sleepable context.

This causes a "sleeping function called from invalid context" splat:

BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:169 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1787, name: sudo preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 0

Fix this by rejecting sleepable programs early in bpf_kprobe_multi_link_attach(), before any further processing.

AnalysisAI

Denial of service in Linux kernel eBPF subsystem allows local attackers with standard privileges to crash the system by attaching sleepable eBPF kprobe_multi programs that invoke non-sleepable contexts. The vulnerability exists because bpf_kprobe_multi_link_attach() fails to validate the sleepable flag before program attachment, permitting sleepable helpers like bpf_copy_from_user() to execute in atomic RCU contexts, triggering kernel panics with 'sleeping function called from invalid context' errors. EPSS exploitation probability is very low at 0.02%, suggesting practical exploitation barriers despite local network access requirements.

Technical ContextAI

The Linux kernel eBPF subsystem allows user-space programs to load and attach eBPF bytecode into the kernel for observability and tracing. The kprobe_multi program type attaches to multiple kernel function entry points simultaneously and executes in atomic/RCU (Read-Copy-Update) context where sleeping operations are forbidden. The vulnerability stems from incomplete validation in the bpf_kprobe_multi_link_attach() function, which performs program attachment without checking the BPF_F_SLEEPABLE flag. When a sleepable program is attached to kprobe_multi, the runtime environment is non-sleepable but the program code may invoke sleepable helpers (kernel functions that can block or yield), violating kernel atomicity invariants. This is a context-mismatch vulnerability affecting the eBPF JIT compilation and runtime verification layer.

RemediationAI

Apply kernel patch from one of the three upstream commits: dc9a060d76c12b23c5f378ee115d5e5d03d8bbf3, f952157e695fd434bdc05af63a703bb082a78717, or eb7024bfcc5f68ed11ed9dd4891a3073c15f04a8 (available via https://git.kernel.org/stable/). Update to patched kernel versions: 6.19.12 or later for 6.19.x series, 7.0 or later for 7.x series, or 6.18.22 or later for 6.18.x series. The fix adds a simple validation check in bpf_kprobe_multi_link_attach() that rejects any program with the BPF_F_SLEEPABLE flag set before attachment proceeds. If immediate patching is infeasible, restrict eBPF program loading via sysctl kernel.unprivileged_bpf_disabled=1 (disables unprivileged eBPF, trades functionality for security), or use LSM/MAC policies (AppArmor, SELinux) to prevent untrusted users from invoking the bpf() syscall with BPF_PROG_LOAD commands. Note: restricting BPF loading may break monitoring/tracing infrastructure; coordination with observability teams is required.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26609 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy