Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Reset register ID for BPF_END value tracking

When a register undergoes a BPF_END (byte swap) operation, its scalar
value is mutated in-place. If this register previously shared a scalar ID
with another register (e.g., after an `r1 = r0` assignment), this tie must
be broken.

Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END.
Consequently, if a conditional jump checks the swapped register, the
verifier incorrectly propagates the learned bounds to the linked register,
leading to false confidence in the linked register's value and potentially
allowing out-of-bounds memory accesses.

Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case
to break the scalar tie, similar to how BPF_NEG handles it via
`__mark_reg_known`.
Published: 2026-05-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An eBPF verifier bug arises when a BPF_END operation, which swaps byte order, mutates a register's scalar value without resetting its identifier. When the original register shares its scalar ID with another register, the verifier fails to break this link, causing propagated bounds to be incorrectly trusted. This flaw can be exploited by a malicious eBPF program that performs such operations and then manipulates conditional jumps to access memory addresses outside the intended bounds. The result is an out‑of‑bounds read or write in kernel space, which could lead to data leakage or elevation of privilege.

Affected Systems

The vulnerability exists in the Linux kernel across all versions prior to the commit that introduced an explicit reset of dst_reg->id during BPF_END handling. The affected product is the Linux kernel.

Risk and Exploitability

No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Although a precise CVSS score is not provided, the kernel‑level flaw carries a high inherent risk; an attacker who can load custom eBPF code with sufficient privileges could trigger the bug to gain arbitrary kernel memory access. The attack vector is therefore local or remote service that allows user‑land processes to submit eBPF programs to the kernel, such as through socket filters or BPF maps. The exploitable condition requires the attacker to craft a program that performs a BPF_END on a register tied to another register and then uses a conditional jump that is incorrectly evaluated by the verifier.

Generated by OpenCVE AI on May 5, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Patch the Linux kernel to a version that includes commit 0d15c3611a2cc5d08993545d4032055ae10ae2c1 or the equivalent fix for BPF_END register ID reset.
  • If immediate kernel updates are not possible, restrict eBPF program loading to trusted users or disable eBPF JIT compilation via sysctl net.core.bpf_jit_enable=0 to mitigate exploitation surfaces.
  • Monitor system logs for unexpected BPF program loading activities and audit generated BPF map accesses by configuring auditd rule for bpf_attach_sock and bpf_prog_load syscalls.

Generated by OpenCVE AI on May 5, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Reset register ID for BPF_END value tracking When a register undergoes a BPF_END (byte swap) operation, its scalar value is mutated in-place. If this register previously shared a scalar ID with another register (e.g., after an `r1 = r0` assignment), this tie must be broken. Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END. Consequently, if a conditional jump checks the swapped register, the verifier incorrectly propagates the learned bounds to the linked register, leading to false confidence in the linked register's value and potentially allowing out-of-bounds memory accesses. Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case to break the scalar tie, similar to how BPF_NEG handles it via `__mark_reg_known`.
Title bpf: Reset register ID for BPF_END value tracking
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-05T15:23:28.819Z

Reserved: 2026-05-01T14:12:55.982Z

Link: CVE-2026-43070

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T16:16:16.320

Modified: 2026-05-05T16:16:16.320

Link: CVE-2026-43070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T18:00:13Z

Weaknesses