Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local actor able to load eBPF (PR:L, AV:L); verifier bypass enabling unsafe kernel memory access yields high C/I/A with no user interaction and low complexity.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix ld_{abs,ind} failure path analysis in subprogs
Usage of ld_{abs,ind} instructions got extended into subprogs some time ago via commit 09b28d76eac4 ("bpf: Add abnormal return checks."). These are only allowed in subprograms when the latter are BTF annotated and have scalar return types.
The code generator in bpf_gen_ld_abs() has an abnormal exit path (r0=0 + exit) from legacy cBPF times. While the enforcement is on scalar return types, the verifier must also simulate the path of abnormal exit if the packet data load via ld_{abs,ind} failed.
This is currently not the case. Fix it by having the verifier simulate both success and failure paths, and extend it in similar ways as we do for tail calls. The success path (r0=unknown, continue to next insn) is pushed onto stack for later validation and the r0=0 and return to the caller is done on the fall-through side.
AnalysisAI
{abs,ind} instructions can take inside BTF-annotated subprograms when a packet data load fails. The verifier only validated the success path, leaving the failure path unanalyzed, which can let an unsafe BPF program pass verification. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the ability to load eBPF programs on the target host and specifically a BTF-annotated subprogram with a scalar return type that uses legacy ld_{abs,ind} packet-load instructions (the only configuration in which these instructions are permitted in subprograms after commit 09b28d76eac4). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent for a local, capability-gated kernel issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user (or a compromised container/process) with the ability to load eBPF programs crafts a BTF-annotated subprogram using ld_{abs,ind} whose failure path was never validated by the verifier, smuggling unsafe register state past verification. When the program runs, the unverified path leads to out-of-bounds or type-confused kernel memory access, which a skilled attacker can shape into kernel memory disclosure or privilege escalation. … |
| Remediation | Apply the vendor (upstream) fix by updating to a patched stable kernel - per EUVD data this corresponds to 7.0.10 and 7.1 (and the relevant 5.10 stable backport); the corrective commits are d846d83bdacbd8f14fc45c63b8c1d22608452e1c and ee861486e377edc55361c08dcbceab3f6b6577bd at git.kernel.org. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems with BPF program loading enabled and audit which users and applications have permissions to load BPF programs. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-253 – Incorrect Check of Function Return Value
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38958
GHSA-h443-hx93-m7qc