Skip to main content

Linux Kernel EUVDEUVD-2026-32235

| CVE-2026-45951 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-gr6f-x92j-c7m6
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.7 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:31 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a potential use-after-free of BTF object

Refcounting in the check_pseudo_btf_id() function is incorrect: the __check_pseudo_btf_id() function might get called with a zero refcounted btf. Fix this, and patch related code accordingly.

v3: rephrase a comment (AI) v2: fix a refcount leak introduced in v1 (AI)

AnalysisAI

Local privilege escalation in the Linux kernel's BPF subsystem stems from incorrect refcounting in check_pseudo_btf_id() that can leave a BTF (BPF Type Format) object with a zero refcount while still in use, creating a use-after-free condition. Affected kernels (around 6.14 through pre-patch 6.18.14/6.19.4) allow a local low-privileged user capable of loading BPF programs to corrupt kernel memory, with no public exploit identified at time of analysis and EPSS scoring exploitation likelihood at only 0.02%.

Technical ContextAI

The bug lives in the eBPF verifier path, specifically check_pseudo_btf_id() and its helper __check_pseudo_btf_id(), which resolve BTF (BPF Type Format) object references when a BPF program loads pseudo BTF IDs. BTF objects are reference-counted kernel structures describing type metadata for BPF programs; the helper could be invoked against a BTF whose refcount had not been incremented, so a subsequent release would free memory still reachable by other code paths - a classic use-after-free (CWE-416 class) caused by mismatched acquire/release semantics. Because BPF program loading is reachable from unprivileged-ish contexts when CAP_BPF or unprivileged BPF is enabled, the surface is the kernel itself rather than a userland library, and the fix landed as three stable backports (commits ccd2d799, 9ff46ffe, eac65c27) into 6.18.14 and 6.19.4.

RemediationAI

Vendor-released patch: Linux 6.18.14 and 6.19.4 (with a 7.0 fix also referenced); upgrade affected hosts to those stable kernels or to your distribution's backported package once available, pulling from the upstream commits at https://git.kernel.org/stable/c/ccd2d799ed4467c07f5ee18c2f5c59bcc990822c, https://git.kernel.org/stable/c/9ff46ffeecdb1802d6e26183177935b948a12e7f, and https://git.kernel.org/stable/c/eac65c272f3b49021a843cba5107d63627395e0e. As a compensating control before patching, set kernel.unprivileged_bpf_disabled=1 via sysctl to block unprivileged BPF program loading (trade-off: breaks any user workload that legitimately loads BPF without CAP_BPF, including some observability and networking agents). On systems where BPF is not needed at all, drop CAP_BPF and CAP_SYS_ADMIN from containers and untrusted users, and consider seccomp filters blocking the bpf() syscall for non-privileged workloads - note this will disable tools like bpftrace, bcc, and Cilium. Reboot is required after kernel upgrade.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy