Skip to main content

Linux Kernel EUVDEUVD-2026-38949

| CVE-2026-53081 HIGH
Symbolic Name not Mapping to Correct Object (CWE-386)
2026-06-24 Linux GHSA-phj2-v9xx-8m7r
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local-only verifier bug needing BPF-load privilege (AV:L, PR:L); once loadable the malformed state is deterministic (AC:L); a verifier bypass yields kernel R/W, so C:H/I:H/A:H.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:05 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars

When regsafe() compares two scalar registers that both carry BPF_ADD_CONST, check_scalar_ids() maps their full compound id (aka base | BPF_ADD_CONST flag) as one idmap entry. However, it never verifies that the underlying base ids, that is, with the flag stripped are consistent with existing idmap mappings.

This allows construction of two verifier states where the old state has R3 = R2 + 10 (both sharing base id A) while the current state has R3 = R4 + 10 (base id C, unrelated to R2). The idmap creates two independent entries: A->B (for R2) and A|flag->C|flag (for R3), without catching that A->C conflicts with A->B. State pruning then incorrectly succeeds.

Fix this by additionally verifying base ID mapping consistency whenever BPF_ADD_CONST is set: after mapping the compound ids, also invoke check_ids() on the base IDs (flag bits stripped). This ensures that if A was already mapped to B from comparing the source register, any ADD_CONST derivative must also derive from B, not an unrelated C.

AnalysisAI

Local privilege escalation in the Linux kernel (6.11 through pre-patch 6.12.x/6.18.x/7.0.x) arises from a BPF verifier state-pruning flaw in regsafe() handling of BPF_ADD_CONST scalar registers, where base register IDs are not checked for mapping consistency. An attacker able to load BPF programs can construct two verifier states that falsely appear equivalent, causing state pruning to incorrectly succeed and letting an unsafe program bypass verification. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local BPF-load capability
Delivery
Craft program with conflicting ADD_CONST base IDs
Exploit
Verifier prunes states incorrectly
Execution
Unsafe program passes verification
Persist
Trigger OOB kernel read/write
Impact
Escalate privileges or leak kernel memory

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to load eBPF programs into the kernel so the malformed verifier state can be submitted, and the kernel must be a vulnerable version (6.11 through the pre-fix commits) that includes BPF_ADD_CONST scalar handling. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent and point to a real but locally-gated kernel risk rather than a mass-exploitation event. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user (or a process inside a container) with the ability to load eBPF programs crafts two verifier states involving BPF_ADD_CONST scalar registers so that the verifier's flawed base-ID comparison treats divergent states as equivalent, pruning verification and accepting a program that performs out-of-bounds kernel memory access. The attacker uses the resulting read/write primitive to leak sensitive kernel data or corrupt kernel structures and escalate privileges. …
Remediation Vendor-released patch: upgrade to a fixed Linux kernel - 6.12.91, 6.18.33, 7.0.10, or 7.1 (or your distribution's backported equivalent containing the stable commits 13c02881…, 691adf73…, 7d73c72c…, or 2f2ec8e7…). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Linux kernel 6.11 or pre-patched versions of 6.12.x, 6.18.x, or 7.0.x by checking kernel version via uname -r. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38949 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy