Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only verifier bug needing BPF-load privilege (AV:L, PR:L); once loadable the malformed state is deterministic (AC:L); a verifier bypass yields kernel R/W, so C:H/I:H/A:H.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars
When regsafe() compares two scalar registers that both carry BPF_ADD_CONST, check_scalar_ids() maps their full compound id (aka base | BPF_ADD_CONST flag) as one idmap entry. However, it never verifies that the underlying base ids, that is, with the flag stripped are consistent with existing idmap mappings.
This allows construction of two verifier states where the old state has R3 = R2 + 10 (both sharing base id A) while the current state has R3 = R4 + 10 (base id C, unrelated to R2). The idmap creates two independent entries: A->B (for R2) and A|flag->C|flag (for R3), without catching that A->C conflicts with A->B. State pruning then incorrectly succeeds.
Fix this by additionally verifying base ID mapping consistency whenever BPF_ADD_CONST is set: after mapping the compound ids, also invoke check_ids() on the base IDs (flag bits stripped). This ensures that if A was already mapped to B from comparing the source register, any ADD_CONST derivative must also derive from B, not an unrelated C.
AnalysisAI
Local privilege escalation in the Linux kernel (6.11 through pre-patch 6.12.x/6.18.x/7.0.x) arises from a BPF verifier state-pruning flaw in regsafe() handling of BPF_ADD_CONST scalar registers, where base register IDs are not checked for mapping consistency. An attacker able to load BPF programs can construct two verifier states that falsely appear equivalent, causing state pruning to incorrectly succeed and letting an unsafe program bypass verification. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the ability to load eBPF programs into the kernel so the malformed verifier state can be submitted, and the kernel must be a vulnerable version (6.11 through the pre-fix commits) that includes BPF_ADD_CONST scalar handling. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent and point to a real but locally-gated kernel risk rather than a mass-exploitation event. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user (or a process inside a container) with the ability to load eBPF programs crafts two verifier states involving BPF_ADD_CONST scalar registers so that the verifier's flawed base-ID comparison treats divergent states as equivalent, pruning verification and accepting a program that performs out-of-bounds kernel memory access. The attacker uses the resulting read/write primitive to leak sensitive kernel data or corrupt kernel structures and escalate privileges. … |
| Remediation | Vendor-released patch: upgrade to a fixed Linux kernel - 6.12.91, 6.18.33, 7.0.10, or 7.1 (or your distribution's backported equivalent containing the stable commits 13c02881…, 691adf73…, 7d73c72c…, or 2f2ec8e7…). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Linux kernel 6.11 or pre-patched versions of 6.12.x, 6.18.x, or 7.0.x by checking kernel version via uname -r. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38949
GHSA-phj2-v9xx-8m7r