Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: crypto: Use the correct destructor kfunc type

With CONFIG_CFI enabled, the kernel strictly enforces that indirect
function calls use a function pointer type that matches the target
function. I ran into the following type mismatch when running BPF
self-tests:

CFI failure at bpf_obj_free_fields+0x190/0x238 (target:
bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc)
Internal error: Oops - CFI: 00000000f2008228 [#1] SMP
...

As bpf_crypto_ctx_release() is also used in BPF programs and using
a void pointer as the argument would make the verifier unhappy, add
a simple stub function with the correct type and register it as the
destructor kfunc instead.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This bug occurs in the Linux kernel’s BPF crypto subsystem when the destructor function pointer type does not match the expected signature enforced by CONFIG_CFI. The mismatch triggers a Control‑Flow Integrity violation, causing the kernel to issue an Oops and crash. The primary impact is that any BPF program using the crypto context could abruptly terminate the system, effectively denying service to users or processes that rely on that kernel module. Based on the description, it is inferred that an attacker would need to be able to execute a BPF program that exercises the crypto context to trigger this crash.

Affected Systems

The flaw is present in the core Linux kernel, affecting all distributions that ship a kernel compiled with CONFIG_CFI and that make use of the BPF crypto context destructor. Specific kernel versions are not listed in the data, so any unpatched kernel with this configuration is at risk.

Risk and Exploitability

The EPSS score of < 1% indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation. The CVSS score of 5.5 indicates moderate severity. The kernel crash could be triggered by a BPF program that accesses the flawed crypto context destructor. Based on the description, an attacker must be able to load or execute a BPF program that exercises the flawed destructor, which likely requires system access or an environment where custom BPF programs are executed. No publicly documented exploit samples are currently known, so the immediate risk is considered moderate to low, but the denial‑of‑service nature warrants remediation.

Generated by OpenCVE AI on May 15, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel release that includes the corrected destructor kfunc implementation, which addresses the type mismatch highlighted by CWE-843.
  • Ensure that the kernel configuration includes CONFIG_CFI to enforce function pointer type checks, mitigating future type‑mismatch vulnerabilities.
  • If an upgrade cannot be applied immediately, restrict or disable BPF programs that invoke crypto contexts until the patch is applied, reducing the chance of a CFI failure.

Generated by OpenCVE AI on May 15, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 09 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-704

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-704

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: crypto: Use the correct destructor kfunc type With CONFIG_CFI enabled, the kernel strictly enforces that indirect function calls use a function pointer type that matches the target function. I ran into the following type mismatch when running BPF self-tests: CFI failure at bpf_obj_free_fields+0x190/0x238 (target: bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc) Internal error: Oops - CFI: 00000000f2008228 [#1] SMP ... As bpf_crypto_ctx_release() is also used in BPF programs and using a void pointer as the argument would make the verifier unhappy, add a simple stub function with the correct type and register it as the destructor kfunc instead.
Title bpf: crypto: Use the correct destructor kfunc type
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:22:00.468Z

Reserved: 2026-05-01T14:12:56.000Z

Link: CVE-2026-43306

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:37.913

Modified: 2026-05-15T19:53:19.910

Link: CVE-2026-43306

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43306 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T22:00:12Z

Weaknesses