Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix exception exit lock checking for subprogs

process_bpf_exit_full() passes check_lock = !curframe to
check_resource_leak(), which is false in cases when bpf_throw() is
called from a static subprog. This makes check_resource_leak() to skip
validation of active_rcu_locks, active_preempt_locks, and
active_irq_id on exception exits from subprogs.

At runtime bpf_throw() unwinds the stack via ORC without releasing any
user-acquired locks, which may cause various issues as the result.

Fix by setting check_lock = true for exception exits regardless of
curframe, since exceptions bypass all intermediate frame
cleanup. Update the error message prefix to "bpf_throw" for exception
exits to distinguish them from normal BPF_EXIT.

Fix reject_subprog_with_rcu_read_lock test which was previously
passing for the wrong reason. Test program returned directly from the
subprog call without closing the RCU section, so the error was
triggered by the unclosed RCU lock on normal exit, not by
bpf_throw. Update __msg annotations for affected tests to match the
new "bpf_throw" error prefix.

The spin_lock case is not affected because they are already checked [1]
at the call site in do_check_insn() before bpf_throw can run.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c?h=v7.0-rc4#n21098
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Resource Leak (locks)
Action: Apply Patch
AI Analysis

Impact

The Linux kernel’s BPF verifier omitted lock validation when a BPF subprogram throws an exception, allowing the bpf_throw() routine to unwind the stack without releasing user‑acquired locks. This omission leaves RCU, preempt, and IRQ locks held, which can impede subsequent kernel operations and potentially trigger system instability or denial‑of‑service scenarios. The flaw is a resource‑management defect that compromises synchronization guarantees within the kernel.

Affected Systems

All Linux kernel distributions that have not incorporated the commit introducing the fix are affected. The vulnerability exists in any kernel release in which a static BPF subprogram can invoke bpf_throw() and the check_resource_leak routine bypasses lock checks. Consequently, any system running an unpatched kernel prior to the merge of the described commit is potentially susceptible.

Risk and Exploitability

The CVSS score of 7.0 indicates moderate risk, and the EPSS score of < 1% suggests a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, indicating no known exploitation. However, the flaw requires that an attacker has permission to load custom BPF programs; a malicious actor with that capability could craft a subprogram that intentionally throws an exception, causing lock leaks that degrade performance or lead to a kernel crash. Based on the description, it is inferred that the attack vector is local to the host and that the attacker must have the privilege to load BPF programs. The attack hinges on the execution of malformed or malicious BPF code.

Generated by OpenCVE AI on April 28, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a kernel that incorporates the fix (commits 5a399f3 or later)
  • If using a custom kernel, recompile or apply the patch containing the updated commit
  • Validate that BPF subprograms no longer generate bpf_throw exceptions by running the provided tests or monitoring lock acquisition

Generated by OpenCVE AI on April 28, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix exception exit lock checking for subprogs process_bpf_exit_full() passes check_lock = !curframe to check_resource_leak(), which is false in cases when bpf_throw() is called from a static subprog. This makes check_resource_leak() to skip validation of active_rcu_locks, active_preempt_locks, and active_irq_id on exception exits from subprogs. At runtime bpf_throw() unwinds the stack via ORC without releasing any user-acquired locks, which may cause various issues as the result. Fix by setting check_lock = true for exception exits regardless of curframe, since exceptions bypass all intermediate frame cleanup. Update the error message prefix to "bpf_throw" for exception exits to distinguish them from normal BPF_EXIT. Fix reject_subprog_with_rcu_read_lock test which was previously passing for the wrong reason. Test program returned directly from the subprog call without closing the RCU section, so the error was triggered by the unclosed RCU lock on normal exit, not by bpf_throw. Update __msg annotations for affected tests to match the new "bpf_throw" error prefix. The spin_lock case is not affected because they are already checked [1] at the call site in do_check_insn() before bpf_throw can run. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c?h=v7.0-rc4#n21098
Title bpf: Fix exception exit lock checking for subprogs
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:10:30.204Z

Reserved: 2026-03-09T15:48:24.111Z

Link: CVE-2026-31526

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:52.763

Modified: 2026-04-28T18:04:24.930

Link: CVE-2026-31526

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31526 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses