Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Reset register ID for BPF_END value tracking

When a register undergoes a BPF_END (byte swap) operation, its scalar
value is mutated in-place. If this register previously shared a scalar ID
with another register (e.g., after an `r1 = r0` assignment), this tie must
be broken.

Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END.
Consequently, if a conditional jump checks the swapped register, the
verifier incorrectly propagates the learned bounds to the linked register,
leading to false confidence in the linked register's value and potentially
allowing out-of-bounds memory accesses.

Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case
to break the scalar tie, similar to how BPF_NEG handles it via
`__mark_reg_known`.
Published: 2026-05-05
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An eBPF verifier bug arises when a BPF_END operation, which swaps byte order, mutates a register's scalar value without resetting its identifier. When the original register shares its scalar ID with another register, the verifier fails to break this link, causing propagated bounds to be incorrectly trusted. Based on the description, it is inferred that a malicious eBPF program that performs such operations and manipulates conditional jumps could exploit the flaw, potentially enabling out-of-bounds read or write in kernel space.

Affected Systems

The vulnerability exists in the Linux kernel across all versions prior to the commit that introduced an explicit reset of dst_reg->id during BPF_END handling. The affected product is the Linux kernel.

Risk and Exploitability

It is inferred that EPSS indicates a low likelihood of exploitation with a score of <1%, and the CVSS score is 7.8. The kernel-level flaw carries a high inherent risk; an attacker who can load custom eBPF code with sufficient privileges could trigger the bug to gain arbitrary kernel memory access. It is inferred that the attack vector is therefore any local or remote service that allows user-land processes to submit eBPF programs to the kernel, such as through socket filters or BPF maps. The exploitable condition requires the attacker to craft a program that performs a BPF_END on a register tied to another register and then uses a conditional jump that is incorrectly evaluated by the verifier.

Generated by OpenCVE AI on May 8, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Patch the Linux kernel to a version that includes commit 0d15c3611a2cc5d08993545d4032055ae10ae2c1 or the equivalent fix for BPF_END register ID reset.
  • If immediate kernel updates are not possible, restrict eBPF program loading to trusted users or disable eBPF JIT compilation via sysctl net.core.bpf_jit_enable=0 to mitigate exploitation surfaces.
  • Monitor system logs for unexpected BPF program loading activities and audit generated BPF map accesses by configuring auditd rule for bpf_attach_sock and bpf_prog_load syscalls.

Generated by OpenCVE AI on May 8, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Reset register ID for BPF_END value tracking When a register undergoes a BPF_END (byte swap) operation, its scalar value is mutated in-place. If this register previously shared a scalar ID with another register (e.g., after an `r1 = r0` assignment), this tie must be broken. Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END. Consequently, if a conditional jump checks the swapped register, the verifier incorrectly propagates the learned bounds to the linked register, leading to false confidence in the linked register's value and potentially allowing out-of-bounds memory accesses. Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case to break the scalar tie, similar to how BPF_NEG handles it via `__mark_reg_known`.
Title bpf: Reset register ID for BPF_END value tracking
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:08.258Z

Reserved: 2026-05-01T14:12:55.982Z

Link: CVE-2026-43070

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T16:16:16.320

Modified: 2026-05-29T17:55:03.500

Link: CVE-2026-43070

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-43070 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T15:30:05Z

Weaknesses