Skip to main content

Linux Kernel EUVDEUVD-2026-32251

| CVE-2026-45967 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-9w48-f7hv-5x3j
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges required to load BPF programs; double-offset causes kernel fault with high availability impact and no confirmed confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.2 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 04:59 vuln.today
CVSS changed
Jun 16, 2026 - 02:52 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

bpf: Return proper address for non-zero offsets in insn array

The map_direct_value_addr() function of the instruction array map incorrectly adds offset to the resulting address. This is a bug, because later the resolve_pseudo_ldimm64() function adds the offset. Fix it. Corresponding selftests are added in a consequent commit.

AnalysisAI

Kernel crash (denial of service) in the Linux kernel BPF subsystem affects local low-privileged users due to a double-offset bug in the instruction array map. The map_direct_value_addr() function incorrectly adds the caller-supplied offset to the returned address, then resolve_pseudo_ldimm64() adds it a second time, resulting in an incorrect memory address that can trigger a kernel fault. No public exploit exists and the EPSS score is 0.02% (5th percentile), indicating very low opportunistic exploitation risk, but the availability impact is rated High per CVSS.

Technical ContextAI

The affected code resides in the Linux kernel BPF subsystem's instruction array map implementation (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*). BPF programs can reference map values directly via LD_IMM64 pseudo-instructions; resolve_pseudo_ldimm64() resolves these at load time by calling map_direct_value_addr() to obtain the base address and then adding the requested offset. The bug is that map_direct_value_addr() for the instruction array map also adds the offset itself, causing a double-application of the offset. This is an off-by-offset logic error - effectively an incorrect pointer arithmetic issue - rather than a classic CWE-classified weakness (CWE is listed as N/A). The resulting stale or out-of-bounds address can cause the kernel to access invalid memory, leading to a kernel panic or oops (Availability: High). The metadata tags also flag 'Information Disclosure,' which is plausible if the wrong memory address resolves to readable kernel data rather than faulting, though the supplied CVSS vector specifies C:N - this conflict is unresolved in the available data.

RemediationAI

Vendor-released patches are available: upgrade to Linux kernel 6.19.4 or 7.0, which include the upstream fix commits e3bd7bdf5ffe49d8381e42843f6e98cd0c78a1e8 and 73ef43202a37d779a8e665a0acae214fa59df9fb respectively (see https://git.kernel.org/stable/c/e3bd7bdf5ffe49d8381e42843f6e98cd0c78a1e8 and https://git.kernel.org/stable/c/73ef43202a37d779a8e665a0acae214fa59df9fb). If an immediate kernel upgrade is not possible, a targeted compensating control is to restrict unprivileged BPF program loading by setting kernel.unprivileged_bpf_disabled=1 via sysctl - note this will prevent non-root users from loading any BPF programs and may break observability tooling (e.g., user-space BPF applications running without root). Systems already enforcing BPF access controls (e.g., via seccomp, SELinux, or requiring CAP_BPF) have inherently reduced exposure and should treat this as a routine patching item.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-32251 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy