Skip to main content

Linux Kernel EUVDEUVD-2026-28617

| CVE-2026-43333 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-2cxw-35rj-wxq7
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 22:31 vuln.today
CVSS changed
May 15, 2026 - 20:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: reject direct access to nullable PTR_TO_BUF pointers

check_mem_access() matches PTR_TO_BUF via base_type() which strips PTR_MAYBE_NULL, allowing direct dereference without a null check.

Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL. On stop callbacks these are NULL, causing a kernel NULL dereference.

Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the existing PTR_TO_BTF_ID pattern.

AnalysisAI

Kernel NULL pointer dereference in Linux kernel's BPF verifier allows local authenticated users to trigger a denial of service. The vulnerability stems from improper handling of nullable PTR_TO_BUF pointers in check_mem_access(), where map iterator callbacks can dereference NULL ctx->key or ctx->value pointers without validation, causing a kernel crash. Affects Linux kernel versions 5.17 through 7.0-rc4, with patches available across stable branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, and no evidence of public exploit code or active exploitation exists. Local access with low privileges required makes this a targeted risk rather than widespread threat.

Technical ContextAI

This vulnerability resides in the Linux kernel's extended Berkeley Packet Filter (eBPF) verification subsystem, specifically in the check_mem_access() function within the BPF verifier (kernel/bpf/verifier.c). The BPF verifier performs static analysis of eBPF programs before loading them to ensure memory safety. The issue is classified as CWE-476 (NULL Pointer Dereference). The vulnerability occurs because check_mem_access() uses base_type() to match PTR_TO_BUF pointer types, which strips the PTR_MAYBE_NULL flag during type checking. When BPF programs use map iterator callbacks, the iterator context provides ctx->key and ctx->value as PTR_TO_BUF | PTR_MAYBE_NULL pointers. During stop callbacks, these pointers are legitimately NULL, but the missing null check in check_mem_access() allows direct dereferencing, triggering a kernel NULL pointer dereference. The fix adds a type_may_be_null() guard to the PTR_TO_BUF branch, mirroring the existing safety pattern used for PTR_TO_BTF_ID pointer handling. This affects systems running BPF programs with map iterators, a feature introduced in kernel 5.17.

RemediationAI

Apply vendor patches immediately for affected kernel versions. Fixed versions are available across all stable branches: upgrade to Linux kernel 5.15.203 or later for 5.15.x series, 6.1.168+ for 6.1.x, 6.6.134+ for 6.6.x, 6.12.81+ for 6.12.x, 6.18.22+ for 6.18.x, 6.19.12+ for 6.19.x, or 7.0 mainline release. Patches are accessible via kernel.org stable git repository at the URLs provided in references (commits b0db1accbc73, 10bc4a4dcded, 4f6c99dc0420, 63276547debc, 70abd9d118da, 8755066f7bd0, 21a10c06ffae). For systems unable to immediately patch, restrict BPF program loading by removing CAP_BPF and CAP_SYS_ADMIN capabilities from untrusted users through capability filtering (e.g., via seccomp-bpf or AppArmor profiles). Alternatively, disable unprivileged BPF via sysctl kernel.unprivileged_bpf_disabled=1, though this was already default in most distributions post-5.16. Note that blocking BPF entirely will break legitimate monitoring tools (bpftrace, eBPF-based observability) and requires coordination with operations teams. Distribution-specific patched kernels may be available sooner than upstream stable releases; check RHEL, Ubuntu, SLES security advisories for backported fixes.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28617 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy