Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Reject sleepable kprobe_multi programs at attach time

kprobe.multi programs run in atomic/RCU context and cannot sleep.
However, bpf_kprobe_multi_link_attach() did not validate whether the
program being attached had the sleepable flag set, allowing sleepable
helpers such as bpf_copy_from_user() to be invoked from a non-sleepable
context.

This causes a "sleeping function called from invalid context" splat:

BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:169
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1787, name: sudo
preempt_count: 1, expected: 0
RCU nest depth: 2, expected: 0

Fix this by rejecting sleepable programs early in
bpf_kprobe_multi_link_attach(), before any further processing.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a flaw in the bpf_kprobe_multi_link_attach routine where it fails to confirm that a kprobe_multi program is not marked as sleepable. Because kprobe_multi programs are meant to run in an atomic or RCU context, the missing validation allows a sleepable helper such as bpf_copy_from_user to be invoked, producing a "sleeping function called from invalid context" fatal error that normally triggers a kernel panic.

Affected Systems

All Linux kernel builds that include the vulnerable bpf_kprobe_multi logic before the recent patch are impacted. The CNA lists the product as Linux:Linux; version information is not explicitly provided, so any kernel version that does not contain the early‑rejection fix should be considered at risk until updated. The CPE list includes kernel releases such as 7.0 rc1 through rc6, but the vulnerability applies broadly to earlier kernels as well.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of public exploitation. The likely attack vector is that an attacker who can load a malicious BPF program—as is typically restricted to privileged users—might exploit the flaw to crash the kernel. This inference comes from the description’s mention of loading BPF programs but does not specify the required privilege level. The vulnerability is not listed in CISA’s KEV catalog, further indicating limited known exploitation. Overall, the risk is moderate but could be high in environments that permit arbitrary BPF program loading without strict access controls.

Generated by OpenCVE AI on May 7, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a kernel version that implements the bpf_kprobe_multi validation fix, such as the latest upstream release or the distribution’s security patch set.
  • If an update is not immediately available, unload all existing kprobe_multi BPF programs and restrict future loading by limiting the ability to load BPF programs or enabling BPF lockdown mechanisms.
  • Monitor system logs for the "sleeping function called from invalid context" message and plan to apply the patch as soon as it is released.

Generated by OpenCVE AI on May 7, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Sat, 02 May 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-357
CWE-676

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-663
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 01 May 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-357
CWE-676

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Reject sleepable kprobe_multi programs at attach time kprobe.multi programs run in atomic/RCU context and cannot sleep. However, bpf_kprobe_multi_link_attach() did not validate whether the program being attached had the sleepable flag set, allowing sleepable helpers such as bpf_copy_from_user() to be invoked from a non-sleepable context. This causes a "sleeping function called from invalid context" splat: BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:169 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1787, name: sudo preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 0 Fix this by rejecting sleepable programs early in bpf_kprobe_multi_link_attach(), before any further processing.
Title bpf: Reject sleepable kprobe_multi programs at attach time
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:15:57.532Z

Reserved: 2026-05-01T14:12:55.974Z

Link: CVE-2026-43010

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:44.887

Modified: 2026-05-07T20:26:12.200

Link: CVE-2026-43010

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43010 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:45:24Z

Weaknesses