Skip to main content

Linux Kernel EUVDEUVD-2026-32369

| CVE-2026-45903 HIGH
Out-of-bounds Read (CWE-125)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-9v3q-rw75-wfqg
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local BPF-load privilege gives PR:L and AV:L; primary impact is kernel memory disclosure (C:H), with no integrity and availability impact not clearly supported by the description.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 16:38 vuln.today
CVSS changed
Jun 24, 2026 - 16:37 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.1
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix memory access flags in helper prototypes

After commit 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking"), the verifier started relying on the access type flags in helper function prototypes to perform memory access optimizations.

Currently, several helper functions utilizing ARG_PTR_TO_MEM lack the corresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the verifier to incorrectly assume that the buffer contents are unchanged across the helper call. Consequently, the verifier may optimize away subsequent reads based on this wrong assumption, leading to correctness issues.

For bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect since the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM which correctly indicates write access to potentially uninitialized memory.

Similar issues were recently addressed for specific helpers in commit ac44dcc788b9 ("bpf: Fix verifier assumptions of bpf_d_path's output buffer") and commit 2eb7648558a7 ("bpf: Specify access type of bpf_sysctl_get_name args").

Fix these prototypes by adding the correct memory access flags.

AnalysisAI

Information disclosure in the Linux kernel BPF subsystem allows a local low-privileged user with BPF program load access to leak kernel memory contents. Incorrect memory-access flags on several ARG_PTR_TO_MEM helper prototypes (notably bpf_get_stack_proto_raw_tp) cause the verifier to wrongly assume helper-written buffers are unchanged, optimizing away subsequent reads and producing stale or uninitialized data that can expose kernel memory. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and it is not in CISA KEV.

Technical ContextAI

The flaw lives in the eBPF verifier, the in-kernel static analyzer that validates BPF programs before execution. After commit 37cce22dbd51 refactored helper access-type tracking, the verifier began trusting the MEM_RDONLY / MEM_WRITE flags declared in each helper's prototype to drive memory-access optimizations. Several helpers using ARG_PTR_TO_MEM were missing the correct flag: bpf_get_stack_proto_raw_tp was marked MEM_RDONLY even though the helper writes into the buffer, so it is corrected to ARG_PTR_TO_UNINIT_MEM (write to potentially uninitialized memory). When the verifier believes a buffer is read-only but the helper actually writes it, it may elide reads that should have observed fresh data. The CWE-125 (out-of-bounds read) classification and 'Information Disclosure'/'Buffer Overflow' tags reflect that the program can end up reading kernel memory it should not, or stale buffer contents. Affected CPE is cpe:2.3:o:linux:linux_kernel across versions; the same prototype-flag class of bug was previously fixed for bpf_d_path (commit ac44dcc788b9) and bpf_sysctl_get_name (commit 2eb7648558a7).

RemediationAI

Vendor-released patch: upgrade to Linux 6.18.14, 6.19.4, or 7.0 (or your distribution's backported equivalent containing the corrected helper prototype flags). The fixes are available as stable commits: https://git.kernel.org/stable/c/802eef5afb1865bc5536a5302c068ba2215a1f72, https://git.kernel.org/stable/c/aa319592892068bd960c1a1c07bd621085b0c63d, and https://git.kernel.org/stable/c/fdfe75161f6e8c41a7d3023fbb815b537107b806. If you cannot patch immediately, reduce exposure by disabling unprivileged BPF where it is not required - set the sysctl kernel.unprivileged_bpf_disabled=1 (trade-off: breaks workloads that rely on unprivileged BPF, but it is already the default on many hardened distros) - and restrict CAP_BPF/CAP_SYS_ADMIN so only trusted users and containers can load BPF programs (trade-off: may impact observability/networking tooling such as tracing agents and eBPF-based CNIs). Track via https://nvd.nist.gov/vuln/detail/CVE-2026-45903.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-32369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy