Skip to main content

Linux Kernel EUVDEUVD-2026-38958

| CVE-2026-53090 HIGH
Incorrect Check of Function Return Value (CWE-253)
2026-06-24 Linux GHSA-h443-hx93-m7qc
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local actor able to load eBPF (PR:L, AV:L); verifier bypass enabling unsafe kernel memory access yields high C/I/A with no user interaction and low complexity.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 28, 2026 - 09:09 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix ld_{abs,ind} failure path analysis in subprogs

Usage of ld_{abs,ind} instructions got extended into subprogs some time ago via commit 09b28d76eac4 ("bpf: Add abnormal return checks."). These are only allowed in subprograms when the latter are BTF annotated and have scalar return types.

The code generator in bpf_gen_ld_abs() has an abnormal exit path (r0=0 + exit) from legacy cBPF times. While the enforcement is on scalar return types, the verifier must also simulate the path of abnormal exit if the packet data load via ld_{abs,ind} failed.

This is currently not the case. Fix it by having the verifier simulate both success and failure paths, and extend it in similar ways as we do for tail calls. The success path (r0=unknown, continue to next insn) is pushed onto stack for later validation and the r0=0 and return to the caller is done on the fall-through side.

AnalysisAI

{abs,ind} instructions can take inside BTF-annotated subprograms when a packet data load fails. The verifier only validated the success path, leaving the failure path unanalyzed, which can let an unsafe BPF program pass verification. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local BPF-load capability
Delivery
Craft BTF subprog with ld_abs/ind
Exploit
Pass verifier via unvalidated failure path
Execution
Trigger failed packet load at runtime
Persist
Execute unsafe kernel memory access
Impact
Escalate privileges or leak kernel memory

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to load eBPF programs on the target host and specifically a BTF-annotated subprogram with a scalar return type that uses legacy ld_{abs,ind} packet-load instructions (the only configuration in which these instructions are permitted in subprograms after commit 09b28d76eac4). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent for a local, capability-gated kernel issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user (or a compromised container/process) with the ability to load eBPF programs crafts a BTF-annotated subprogram using ld_{abs,ind} whose failure path was never validated by the verifier, smuggling unsafe register state past verification. When the program runs, the unverified path leads to out-of-bounds or type-confused kernel memory access, which a skilled attacker can shape into kernel memory disclosure or privilege escalation. …
Remediation Apply the vendor (upstream) fix by updating to a patched stable kernel - per EUVD data this corresponds to 7.0.10 and 7.1 (and the relevant 5.10 stable backport); the corrective commits are d846d83bdacbd8f14fc45c63b8c1d22608452e1c and ee861486e377edc55361c08dcbceab3f6b6577bd at git.kernel.org. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems with BPF program loading enabled and audit which users and applications have permissions to load BPF programs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy