Skip to main content

Linux Kernel EUVDEUVD-2026-32216

| CVE-2026-45932 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-p87w-4q4g-fjpw
7.3
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:29 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.3 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.3

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix tcx/netkit detach permissions when prog fd isn't given

This commit fixes a security issue where BPF_PROG_DETACH on tcx or netkit devices could be executed by any user when no program fd was provided, bypassing permission checks. The fix adds a capability check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case.

AnalysisAI

Privilege escalation in the Linux kernel BPF subsystem allows unprivileged local users to detach tcx and netkit BPF programs from network devices without holding CAP_NET_ADMIN or CAP_SYS_ADMIN, due to a missing capability check in BPF_PROG_DETACH when no program file descriptor is supplied. The flaw enables low-privileged attackers to tamper with networking integrity and availability on affected kernels, though no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.01%.

Technical ContextAI

The vulnerability resides in the Linux kernel's BPF (Berkeley Packet Filter) infrastructure, specifically in the tcx (TC eXpress) and netkit hook attach/detach logic used to manage traffic control and virtual networking BPF programs. The BPF_PROG_DETACH syscall path normally validates that the caller holds CAP_NET_ADMIN or CAP_SYS_ADMIN when manipulating network-scoped programs, but the code path taken when the userspace caller omits a program file descriptor failed to enforce that capability gate, allowing any local user to remove BPF programs attached to a device. While no CWE was assigned by NVD, the root cause is a classic missing-authorization defect (CWE-862 class) in a privileged kernel syscall handler, which the upstream fix remediates by adding the explicit capability check before the detach proceeds.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 6.18.14, 6.19.4, or any later stable release that includes commits ae23bc81ddf7c17b663c4ed1b21e35527b0a7131, 4e0772cded109c238411f2fac36ac39302758b81, or 3f04cc1e5374da4c5e791ae010a06cfea7bacbe6 (see https://git.kernel.org/stable/c/ae23bc81ddf7c17b663c4ed1b21e35527b0a7131, https://git.kernel.org/stable/c/4e0772cded109c238411f2fac36ac39302758b81, and https://git.kernel.org/stable/c/3f04cc1e5374da4c5e791ae010a06cfea7bacbe6), and rebuild downstream distribution kernels accordingly. Where immediate kernel upgrade is not feasible, restrict the bpf() syscall on multi-tenant systems by enabling kernel.unprivileged_bpf_disabled=1 via sysctl (this prevents unprivileged BPF use broadly and may break workloads that rely on user-mode BPF such as some observability agents), or apply a seccomp filter at the container/sandbox layer to block BPF_PROG_DETACH for untrusted processes (which requires per-workload tuning and may interfere with legitimate program lifecycle management). On container hosts, ensuring containers do not receive CAP_BPF and run under user namespaces without host-network privileges further reduces exposure at the cost of constraining networking-oriented workloads.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32216 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy