Skip to main content

Linux Kernel EUVDEUVD-2026-27373

| CVE-2026-43070 HIGH
Out-of-bounds Read (CWE-125)
2026-05-05 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:23 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 05, 2026 - 17:31 EUVD
CVE Published
May 05, 2026 - 15:23 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Reset register ID for BPF_END value tracking

When a register undergoes a BPF_END (byte swap) operation, its scalar value is mutated in-place. If this register previously shared a scalar ID with another register (e.g., after an r1 = r0 assignment), this tie must be broken.

Currently, the verifier misses resetting dst_reg->id to 0 for BPF_END. Consequently, if a conditional jump checks the swapped register, the verifier incorrectly propagates the learned bounds to the linked register, leading to false confidence in the linked register's value and potentially allowing out-of-bounds memory accesses.

Fix this by explicitly resetting dst_reg->id to 0 in the BPF_END case to break the scalar tie, similar to how BPF_NEG handles it via __mark_reg_known.

AnalysisAI

eBPF verifier in Linux kernel allows local privilege escalation through incorrect register ID handling during byte-swap operations. When BPF_END instruction performs byte swapping, the verifier fails to reset scalar register IDs, causing it to incorrectly propagate bounds checks between linked registers. This validation bypass allows authenticated local attackers with BPF program loading privileges to craft malicious eBPF programs that pass verification but achieve out-of-bounds memory access at runtime, potentially escalating to kernel-level code execution. Vendor patches available for affected 6.18.x and 6.19.x branches with EPSS score of 0.02% indicating low observed exploitation probability.

Technical ContextAI

This vulnerability resides in the Linux kernel's eBPF (extended Berkeley Packet Filter) verifier, which performs static analysis on BPF programs before allowing them to run in kernel space. The verifier tracks scalar register values and their relationships through unique IDs-when registers share an ID (via register copy operations like r1=r0), the verifier assumes they contain identical values and propagates learned bounds between them. The BPF_END instruction performs byte-order swapping (endianness conversion) and mutates the register value in-place, but unlike similar instructions (BPF_NEG), it fails to call __mark_reg_known or explicitly reset dst_reg->id to zero. This means the register retains its shared ID after its value has fundamentally changed. When subsequent conditional jumps establish bounds on the swapped register, the verifier incorrectly applies those bounds to any register still sharing the old ID, creating a state where the verifier believes a register is safely bounded when it actually contains an unrelated value. This verification-time versus runtime mismatch enables classical confused deputy attacks where verified-safe programs perform unsafe operations. The affected code paths are in the BPF register tracking logic, specifically the scalar ID management during instruction processing.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.21 or later for 6.18.x series, 6.19.11 or later for 6.19.x series, or apply backported patches from upstream commits a3125bc01884431d30d731461634c8295b6f0529 (mainline), a17443af874229408ce6b78e2c8a2b5adeb4b7d8, or 0d15c3611a2cc5d08993545d4032055ae10ae2c1. Patch details available at kernel.org stable tree references. If immediate patching is not feasible, implement compensating controls by restricting BPF program loading to root-only access: set kernel.unprivileged_bpf_disabled=1 via sysctl (blocks unprivileged BPF entirely) and audit CAP_BPF/CAP_SYS_ADMIN capability grants using audit subsystem rules. Note this breaks legitimate unprivileged BPF use cases like non-root container monitoring and some observability tools (bpftrace, kubectl-trace). For containerized environments, enforce seccomp profiles that block bpf() syscall for non-privileged containers (default in most container runtimes but verify configuration). These mitigations prevent exploitation but may impact operational tooling-test in non-production first. Kernel live-patching services (kpatch, kGraft, Ksplice) may offer hotfix without reboot for supported distributions.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27373 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy