Skip to main content

Linux Kernel EUVDEUVD-2026-32393

| CVE-2026-45927 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mx29-fw97-m6gr
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Local vector for BPF syscall access; AC:H for race timing; PR:L for CAP_BPF; I:H reflects integrity bypass of trusted hash verification; A:N as no availability mechanism is described.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
6.3 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Red Hat
6.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 25, 2026 - 12:53 vuln.today
CVSS changed
Jun 25, 2026 - 12:52 NVD
4.7 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

bpf: Require frozen map for calculating map hash

Currently, bpf_map_get_info_by_fd calculates and caches the hash of the map regardless of the map's frozen state.

This leads to a TOCTOU bug where userspace can call BPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map contents before freezing.

Therefore, a trusted loader can be tricked into verifying the stale hash while loading the modified contents.

Fix this by returning -EPERM if the map is not frozen when the hash is requested. This ensures the hash is only generated for the final, immutable state of the map.

AnalysisAI

BPF map hash verification in the Linux kernel is vulnerable to a TOCTOU race condition that allows a local low-privileged attacker to bypass integrity checks enforced by trusted BPF loaders. Userspace can call BPF_OBJ_GET_INFO_BY_FD to prime the hash cache, then modify the map contents in the race window before freezing it, causing a trusted loader to verify the original (stale) hash against the silently-altered map. No active exploitation is confirmed (not in CISA KEV) and EPSS is 0.02%, but the attack's integrity impact appears understated by the published CVSS vector, which records A:H/I:N - inconsistent with a hash-bypass that enables modified code/data to be loaded as trusted.

Technical ContextAI

The vulnerability resides in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically in the bpf_map_get_info_by_fd() path exposed via the BPF_OBJ_GET_INFO_BY_FD syscall command. BPF maps are kernel data structures used to share state between BPF programs and userspace; a freeze operation makes them immutable. A trusted loader workflow computes a hash of a frozen map to cryptographically bind the map's contents to a signature. CWE-367 (TOCTOU Race Condition) applies: the hash is computed and cached by the kernel before the map is frozen, leaving a window in which userspace can alter map contents. The root cause is that bpf_map_get_info_by_fd() does not gate hash computation on the map's frozen state. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* for kernel versions prior to the fix commits. The fix enforces that hash computation returns -EPERM unless the map is already frozen, eliminating the race window.

RemediationAI

The primary fix is to upgrade to Linux kernel 6.19.4 or 6.18.14 (or later), which contain the upstream patch enforcing that BPF map hash computation is gated on the frozen state of the map. Patch commits are available at the kernel.org stable tree links referenced in this CVE. For environments that cannot immediately patch, a targeted workaround is to restrict access to the BPF_OBJ_GET_INFO_BY_FD syscall command for unprivileged users via seccomp profiles or BPF LSM policy, effectively requiring CAP_SYS_ADMIN or CAP_BPF for any BPF map introspection. Note that this workaround may break legitimate BPF-based observability tooling that runs as non-root. Environments not using trusted BPF loader pipelines for integrity verification are not exposed to the meaningful impact of this bug and can treat it as lower priority pending a routine kernel maintenance update.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-32393 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy