Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local attacker needs BPF-load privilege (PR:L, AV:L) with a reliable trigger (AC:L); strong kernel-pointer/OOB info leak (C:H) and crash potential (A:H), with limited demonstrated write impact (I:L).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops
When a BPF sock_ops program accesses ctx fields with dst_reg == src_reg, the SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros fail to zero the destination register in the !fullsock / !locked_tcp_sock path.
Both macros borrow a temporary register to check is_fullsock / is_locked_tcp_sock when dst_reg == src_reg, because dst_reg holds the ctx pointer. When the check is false (e.g., TCP_NEW_SYN_RECV state with a request_sock), dst_reg should be zeroed but is not, leaving the stale ctx pointer:
- SOCK_OPS_GET_SK: dst_reg retains the ctx pointer, passes NULL checks
as PTR_TO_SOCKET_OR_NULL, and can be used as a bogus socket pointer, leading to stack-out-of-bounds access in helpers like bpf_skc_to_tcp6_sock().
- SOCK_OPS_GET_FIELD: dst_reg retains the ctx pointer which the
verifier believes is a SCALAR_VALUE, leaking a kernel pointer.
Fix both macros by:
- Changing JMP_A(1) to JMP_A(2) in the fullsock path to skip the
added instruction.
- Adding BPF_MOV64_IMM(si->dst_reg, 0) after the temp register
restore in the !fullsock path, placed after the restore because dst_reg == src_reg means we need src_reg intact to read ctx->temp.
AnalysisAI
Out-of-bounds read and kernel pointer leak in the Linux kernel's eBPF sock_ops subsystem lets a local low-privileged actor able to load BPF programs disclose kernel memory and corrupt kernel state. The SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros fail to zero the destination register on the !fullsock/!locked_tcp_sock path when dst_reg == src_reg, leaving a stale ctx pointer that the verifier mistakes for a valid socket or a scalar. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the local ability to load and attach a BPF_PROG_TYPE_SOCK_OPS program (CAP_BPF/CAP_NET_ADMIN, or a system with unprivileged BPF enabled via kernel.unprivileged_bpf_disabled=0), and the program must access a ctx field using the SOCK_OPS_GET_SK / SOCK_OPS_GET_FIELD code path with dst_reg == src_reg. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a real but bounded, locally-scoped issue rather than an internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user (or a low-privileged container with BPF load rights) attaches a crafted sock_ops BPF program that reads a socket context field using the same register as source and destination, then drives a TCP connection into the TCP_NEW_SYN_RECV state so the !fullsock branch is taken. The program then either reads back the leaked kernel pointer to defeat KASLR or passes the stale ctx pointer to a helper like bpf_skc_to_tcp6_sock() to trigger a stack out-of-bounds access. … |
| Remediation | Upstream fix available (commit); the released patched kernel version is not independently confirmed beyond the stable git commits, so apply your distribution's updated kernel package once it incorporates stable commits 18e3ffde1822f0b48b1753bf34aa97ce839df1d8 and 10f86a2a5c91fc4c4d001960f1c21abe52545ef6 (see https://git.kernel.org/stable/c/18e3ffde1822f0b48b1753bf34aa97ce839df1d8 and https://git.kernel.org/stable/c/10f86a2a5c91fc4c4d001960f1c21abe52545ef6). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory Linux systems and identify which allow unprivileged BPF program loading; assess exposure in containerized and multi-tenant environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38946
GHSA-pwr6-cvf5-35f3