Skip to main content

Linux Kernel EUVDEUVD-2026-38904

| CVE-2026-53036 HIGH
Off-by-one Error (CWE-193)
2026-06-24 Linux GHSA-mfc2-6j6q-99vp
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local BPF loading needs some privilege (PR:L); triggering requires a precisely-ranged branch displacement (AC:H); a flipped kernel branch can yield full memory corruption (C/I/A:H).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:55 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf, arm64: Fix off-by-one in check_imm signed range check

check_imm(bits, imm) is used in the arm64 BPF JIT to verify that a branch displacement (in arm64 instruction units) fits into the signed N-bit immediate field of a B, B.cond or CBZ/CBNZ encoding before it is handed to the encoder. The macro currently tests for (imm > 0 && imm >> bits) || (imm < 0 && ~imm >> bits) which admits values in [-2^N, 2^N) - effectively a signed (N+1)-bit range. A signed N-bit field only holds [-2^(N-1), 2^(N-1)), so the check admits one extra bit of range on each side.

In particular, for check_imm19(), values in [2^18, 2^19) slip past the check but do not fit into the 19-bit signed imm19 field of B.cond. aarch64_insn_encode_immediate() then masks the raw value into the 19-bit field, setting bit 18 (the sign bit) and flipping a forward branch into a backward one. Same class of issue exists for check_imm26() and the B/BL encoding. Shift by (bits - 1) instead of bits so the actual signed N-bit range is enforced.

AnalysisAI

Local memory corruption / control-flow corruption in the Linux kernel arm64 BPF JIT stems from an off-by-one in the check_imm() branch-displacement range check, which lets a forward branch be silently rewritten into a backward branch when a B.cond/CBZ/CBNZ (imm19) or B/BL (imm26) displacement falls in the over-permissive extra bit of range. A local user able to load a BPF program on arm64 can trigger miscompiled JIT code that corrupts kernel control flow, with potential for code execution, data corruption, or denial of service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local BPF-loading capability on arm64 host
Delivery
Craft eBPF program with out-of-range branch displacement
Exploit
JIT mis-encodes branch flipping forward to backward
Execution
Run program to divert kernel control flow
Persist
Kernel memory corruption or crash
Impact
Potential privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) an arm64/AArch64 Linux host with the BPF JIT enabled (net.core.bpf_jit_enable, the default on most modern arm64 distros), and (2) the ability to load an eBPF program - either via unprivileged BPF being enabled or possession of CAP_BPF/CAP_SYS_ADMIN. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8) reflects a high-impact local issue requiring some privilege, consistent with a BPF-loading capability on arm64. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user (or a process inside a container) on an arm64 system that permits BPF program loading crafts an eBPF program whose compiled branch displacement lands in the over-permissive range, causing the JIT to emit a branch with an inverted sign bit. When the JIT-compiled program runs in kernel context, the flipped forward-to-backward branch diverts control flow, leading to a kernel crash or, with careful displacement shaping, memory corruption that could be leveraged toward privilege escalation. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or mainline 7.1 (or later) depending on your branch - which shifts the check by (bits - 1) to enforce the true signed N-bit range; corresponding commits are at https://git.kernel.org/stable/c/a5dfeb3b61065039488342d43ae06d4729d955d4 and the sibling stable hashes in the references. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all ARM64 Linux systems in production and identify those permitting local user access and program execution. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38904 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy