Skip to main content

Linux Kernel EUVDEUVD-2026-28605

| CVE-2026-43321 HIGH
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-67fg-rv2j-g7r7
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:23 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
HIGH 7.8
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Properly mark live registers for indirect jumps

For a gotox rX instruction the rX register should be marked as used in the compute_insn_live_regs() function. Fix this.

AnalysisAI

Improper register liveness tracking in the Linux kernel eBPF verifier allows local authenticated users to potentially achieve information disclosure, privilege escalation, or denial of service through crafted BPF programs. The vulnerability stems from the compute_insn_live_regs() function failing to mark registers as used during indirect jump ('gotox rX') instructions, enabling attackers with BPF program loading privileges to manipulate register state tracking. With EPSS exploitation probability at 0.02% (5th percentile) and no evidence of active exploitation or public POC, this represents a theoretical risk primarily for systems where unprivileged users can load BPF programs. Vendor patches are available for kernel versions 6.18.16, 6.19.6, and 7.0.

Technical ContextAI

This vulnerability affects the Berkeley Packet Filter (BPF) subsystem's verification engine in the Linux kernel. BPF is a kernel-level virtual machine used for packet filtering, system tracing, and security enforcement. The verifier performs static analysis of BPF programs before execution to ensure memory safety and prevent kernel exploits. The compute_insn_live_regs() function tracks which registers contain live data at each instruction to detect uninitialized reads and prevent information leaks. The 'gotox rX' instruction performs an indirect jump where the target offset is stored in register rX. The bug causes the verifier to fail marking register rX as 'read' during this operation, potentially allowing attackers to craft programs that pass verification but behave unsafely at runtime by reading uninitialized kernel memory or bypassing security checks. The vulnerability spans from initial BPF implementation (commit 1da177e4c3f4) through recent versions, affecting the core register liveness analysis infrastructure.

RemediationAI

Apply vendor-released patches: upgrade to Linux kernel 6.18.16, 6.19.6, 7.0, or later versions incorporating upstream fixes from commits df02c3ff3be4, 7beae54111c3, or d1aab1ca576c. Distribution-specific patched kernels should be obtained through normal update channels (yum/dnf update kernel for RHEL/CentOS/Fedora, apt upgrade linux-image for Debian/Ubuntu, zypper update kernel-default for SUSE). Reboot required after kernel update to activate patched version. If immediate patching is not feasible, implement compensating controls: disable unprivileged BPF program loading by setting kernel.unprivileged_bpf_disabled=1 via sysctl (echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled or sysctl -w kernel.unprivileged_bpf_disabled=1), which prevents non-root users from loading BPF programs but does not affect system functionality unless applications specifically require unprivileged BPF (rare in production). Note this mitigation is ineffective against attackers who already possess CAP_BPF, CAP_SYS_ADMIN, or root access. Review and restrict user access to CAP_BPF capability in containerized environments using seccomp profiles or AppArmor/SELinux policies that block bpf() syscall for untrusted workloads, though this may break legitimate monitoring tools like bpftrace or cilium. Upstream fix details and commit information available at https://git.kernel.org/stable/c/7beae54111c34ca63357ef120e115889b915beb5.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28605 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy