Skip to main content

Linux Kernel EUVDEUVD-2026-38960

| CVE-2026-53092 HIGH
Return of Wrong Status Code (CWE-393)
2026-06-24 Linux GHSA-4p37-9v73-jm8h
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local attacker needs the low-privilege ability to load BPF (PR:L, AV:L); a successful verifier-bypass yields kernel memory read/write enabling full compromise (C/I/A:H), no UI required.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 28, 2026 - 09:10 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix linked reg delta tracking when src_reg == dst_reg

Consider the case of rX += rX where src_reg and dst_reg are pointers to the same bpf_reg_state in adjust_reg_min_max_vals(). The latter first modifies the dst_reg in-place, and later in the delta tracking, the subsequent is_reg_const(src_reg)/reg_const_value(src_reg) reads the post-{add,sub} value instead of the original source.

This is problematic since it sets an incorrect delta, which sync_linked_regs() then propagates to linked registers, thus creating a verifier-vs-runtime mismatch. Fix it by just skipping this corner case.

AnalysisAI

Privilege-relevant memory corruption in the Linux kernel eBPF verifier (introduced around v6.11) lets a local user with BPF-loading capability defeat the verifier's range tracking when a register adds to itself (rX += rX), because adjust_reg_min_max_vals() mutates dst_reg in place and then reads the already-modified src_reg, recording a wrong delta that sync_linked_regs() propagates to linked registers. The result is a verifier-vs-runtime mismatch - the verifier reasons about register bounds that differ from actual execution, the classic precursor to out-of-bounds kernel memory access and local privilege escalation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local access with BPF-load capability
Delivery
Craft eBPF program with rX += rX
Exploit
Verifier mis-tracks linked register delta
Execution
Load passes verification, runs with bad bounds
Persist
Trigger out-of-bounds kernel memory access
Impact
Escalate to root / full host compromise

Vulnerability AssessmentAI

Exploitation Requires local code execution and the ability to load eBPF programs into the kernel - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent and point to a real but not emergency-grade local issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local low-privileged user (or a tenant inside a container that retains BPF capability) on an affected kernel loads a specially crafted eBPF program containing an rX += rX instruction designed to make the verifier mis-track register bounds. Because the verifier approves a program whose runtime behavior diverges from its proof, the attacker leverages the resulting out-of-bounds register state to read or write kernel memory and escalate to root. …
Remediation Upgrade to a fixed stable kernel - Vendor-released patch: 6.18.33, 7.0.10, or 7.1 (or your distribution's equivalent backport build) using stable commits d88e8e4a3b52bd5b2ff3eceba4b29d1b5506d066, cc86a8b0a1c54d2bccf6f68cf49b82dea91b84de, or d7f14173c0d5866c3cae759dee560ad1bed10d2e from https://git.kernel.org/stable/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify systems running Linux kernel v6.11+ and review current BPF security configuration (kernel.unprivileged_bpf_disabled setting). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38960 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy