Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local s390x host with BPF-load capability gives PR:L/AV:L; crafting the triggering program is straightforward (AC:L); JIT miscompilation can disclose kernel memory and corrupt kernel state, so C/I/A:H.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
s390/bpf: Zero-extend bpf prog return values and kfunc arguments
s390x ABI requires callers to zero-extend unsigned arguments and sign-extend signed arguments, and callees to zero-extend unsigned return values and sign-extend signed return values.
s390 BPF JIT currently implements only sign extension. Fix this omission and implement zero extension too.
AnalysisAI
Memory-safety and information-disclosure risk in the Linux kernel s390 (IBM Z) eBPF JIT compiler stems from incomplete ABI compliance: the JIT sign-extended values but never zero-extended unsigned BPF program return values and kfunc arguments as the s390x calling convention requires. On s390x hosts, a local user able to load BPF programs can cause the JIT to emit code that leaves stale upper register bits, producing incorrect computation that can leak kernel data or corrupt execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local foothold on an IBM Z / s390x system running an affected Linux kernel with the eBPF JIT enabled (net.core.bpf_jit_enable), and the ability to load a BPF program or trigger a kfunc whose unsigned return value or arguments traverse the missing zero-extension path - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderately consistent but point to a low-to-moderate real-world priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On an s390x Linux host where unprivileged or container-confined users can load BPF programs, an attacker crafts a BPF program (or invokes a kfunc) whose unsigned return value or argument relies on the high register bits being cleared; because the JIT omits zero-extension, stale kernel data remains in those bits and is read back into the program, leaking kernel memory contents or steering subsequent logic incorrectly. No public exploit is identified at time of analysis, and the local, low-complexity vector means a foothold with BPF-load capability is the main prerequisite. |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 6.6.141, 6.12.91, 6.18.33, 7.0.10 or 7.1, or apply the corresponding distribution backport, then reboot so the patched s390 BPF JIT takes effect; the upstream fixes are the kernel.org stable commits edc90a12073b, 44c4f999b03f, 366b0e05ee24, 834918a77be5 and 202e42e4aa89 (advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-53110). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all IBM Z systems and identify kernel versions affected by CVE-2026-53110. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38978
GHSA-j2v8-v4c8-53mp