Skip to main content

Linux Kernel EUVDEUVD-2026-32165

| CVE-2026-45839 HIGH
Improper Validation of Array Index (CWE-129)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-hj8v-m57h-q9mq
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.5 MEDIUM

Local CAP_BPF caller (AV:L/PR:L), deterministic trigger (AC:L); demonstrated impact is a kernel crash so A:H with C/I:N absent evidence of disclosure or write.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
CVE Published
Jun 26, 2026 - 19:25 cve.org
HIGH 7.8
Analysis Generated
Jun 26, 2026 - 19:24 vuln.today
CVSS changed
Jun 26, 2026 - 19:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 11:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()

CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. "0:1:2" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf("%d"), so negative values like -1 are silently accepted. The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.

When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array. A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions). The bug is reachable with CAP_BPF:

BUG: unable to handle page fault for address: ffffed11818b6626 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full) RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354) RAX: 00000000ffffffff Call Trace: <TASK> bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321) bpf_core_apply (kernel/bpf/btf.c:9507) check_core_relo (kernel/bpf/verifier.c:19475) bpf_check (kernel/bpf/verifier.c:26031) bpf_prog_load (kernel/bpf/syscall.c:3089) __sys_bpf (kernel/bpf/syscall.c:6228) </TASK>

CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.

AnalysisAI

Local denial of service in the Linux kernel's BPF CO-RE relocation parser allows a process holding CAP_BPF to deterministically crash the system by loading a BPF program with a negative CO-RE accessor index. The flaw stems from bpf_core_parse_spec() in the libbpf relocation core accepting negative values from sscanf("%d") that bypass upper-bound checks due to integer promotion, ultimately driving an out-of-bounds read past the BTF members array. EPSS is negligible (0.01%) and there is no public exploit identified at time of analysis; a kernel oops backtrace is published in the changelog but it serves as a crash reproducer rather than a weaponized exploit.

Technical ContextAI

The vulnerability lives in the kernel's BPF subsystem, specifically the CO-RE (Compile Once - Run Everywhere) relocation logic shared with libbpf's relo_core.c, invoked during BPF_PROG_LOAD via bpf_core_apply() -> bpf_core_calc_relo_insn() -> bpf_core_parse_spec(). CO-RE accessor strings are colon-separated indices (e.g. '0:1:2') describing a path from a root BTF type to a target field across nested struct members. The root cause maps to CWE-129 (Improper Validation of Array Index): each component is parsed with sscanf("%d"), so a negative value such as -1 is accepted, and the only guard (access_idx >= btf_vlen(t)) fails to catch it because the __u16 result of btf_vlen is promoted to int, making (int)(-1) >= (int)(N) false for any positive N. The negative index then propagates into btf_member_bit_offset() where it is cast to u32 0xffffffff, indexing far outside the members array. The condition requires CONFIG_DEBUG_INFO_BTF=y (vmlinux BTF), which is the default on major distributions, so any struct present in vmlinux BTF such as task_struct is a viable trigger target.

RemediationAI

Apply the vendor-released stable kernel update containing the fix: upgrade to 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1-rc1 (or later within each series) as published via the kernel.org stable commits (https://git.kernel.org/stable/c/1c22483a2c4bbf747787f328392ca3e68619c4dc and the related backport commits), and consume the corresponding fixed package from your distribution. The fix adds an explicit rejection of negative CO-RE accessor indices immediately after parsing in bpf_core_parse_spec(). Where the kernel cannot be patched immediately, the most effective compensating control is to remove the attack surface: revoke CAP_BPF from untrusted processes and containers, and tighten kernel.unprivileged_bpf_disabled (sysctl) so non-privileged users cannot load BPF programs - the side effect is that legitimate BPF-using tooling (observability agents, eBPF networking, some container runtimes) loses the ability to load programs. As a deeper but more disruptive option, building the kernel without CONFIG_DEBUG_INFO_BTF removes the vmlinux BTF the trigger relies on, at the cost of breaking CO-RE-based eBPF tooling entirely; this is generally not advisable on production observability hosts.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32165 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy