Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local attacker needs the low-privilege ability to load BPF (PR:L, AV:L); a successful verifier-bypass yields kernel memory read/write enabling full compromise (C/I/A:H), no UI required.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix linked reg delta tracking when src_reg == dst_reg
Consider the case of rX += rX where src_reg and dst_reg are pointers to the same bpf_reg_state in adjust_reg_min_max_vals(). The latter first modifies the dst_reg in-place, and later in the delta tracking, the subsequent is_reg_const(src_reg)/reg_const_value(src_reg) reads the post-{add,sub} value instead of the original source.
This is problematic since it sets an incorrect delta, which sync_linked_regs() then propagates to linked registers, thus creating a verifier-vs-runtime mismatch. Fix it by just skipping this corner case.
AnalysisAI
Privilege-relevant memory corruption in the Linux kernel eBPF verifier (introduced around v6.11) lets a local user with BPF-loading capability defeat the verifier's range tracking when a register adds to itself (rX += rX), because adjust_reg_min_max_vals() mutates dst_reg in place and then reads the already-modified src_reg, recording a wrong delta that sync_linked_regs() propagates to linked registers. The result is a verifier-vs-runtime mismatch - the verifier reasons about register bounds that differ from actual execution, the classic precursor to out-of-bounds kernel memory access and local privilege escalation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local code execution and the ability to load eBPF programs into the kernel - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent and point to a real but not emergency-grade local issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local low-privileged user (or a tenant inside a container that retains BPF capability) on an affected kernel loads a specially crafted eBPF program containing an rX += rX instruction designed to make the verifier mis-track register bounds. Because the verifier approves a program whose runtime behavior diverges from its proof, the attacker leverages the resulting out-of-bounds register state to read or write kernel memory and escalate to root. … |
| Remediation | Upgrade to a fixed stable kernel - Vendor-released patch: 6.18.33, 7.0.10, or 7.1 (or your distribution's equivalent backport build) using stable commits d88e8e4a3b52bd5b2ff3eceba4b29d1b5506d066, cc86a8b0a1c54d2bccf6f68cf49b82dea91b84de, or d7f14173c0d5866c3cae759dee560ad1bed10d2e from https://git.kernel.org/stable/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify systems running Linux kernel v6.11+ and review current BPF security configuration (kernel.unprivileged_bpf_disabled setting). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-393 – Return of Wrong Status Code
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38960
GHSA-4p37-9v73-jm8h