CVE-2026-43333 - Vulnerability Details

- bpf: reject direct access to nullable PTR_TO_BUF pointers

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: reject direct access to nullable PTR_TO_BUF pointers

check_mem_access() matches PTR_TO_BUF via base_type() which strips
PTR_MAYBE_NULL, allowing direct dereference without a null check.

Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL.
On stop callbacks these are NULL, causing a kernel NULL dereference.

Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the
existing PTR_TO_BTF_ID pattern.

Published: 2026-05-08

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, a null pointer dereference can occur in the BPF subsystem. The check for memory access matches a pointer type that incorrectly allows direct dereference, omitting a null check. When BPF programs reach an end‑of‑context callback, the map iterator pointers may be NULL, causing a kernel NULL dereference. This vulnerability is a classic null pointer dereference (CWE‑476) and results in a denial of service by crashing the kernel.

Affected Systems

Affected releases are Linux kernel versions before the patch that added a guard against null pointers when dereferencing PTR_TO_BUF pointers. The exact affected version range is not specified, but any kernel sequence lacking that fix is vulnerable.

Risk and Exploitability

The CVSS score is 5.5, and the EPSS score is < 1%. The vulnerability is not listed in the CISA KEV catalog. The risk is significant because the flaw occurs in privileged kernel code, and a successful exploit would crash the system. Based on the description, it is inferred that exploitation requires the ability to load a BPF program that triggers the faulty cleanup path, which is typically available to users with BPF execution privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`b453361384c2db1c703dacb806d5fd36aec4ceca`	affected	< 10bc4a4dcded509c5d5c67d497900c3922c604cd
`20b2aff4bc15bda809f994761d5719827d66c0b4`	affected	< 21a10c06ffae24cb01fd174a7ab7736001d2ea56
`20b2aff4bc15bda809f994761d5719827d66c0b4`	affected	< 8755066f7bd0f4ac46a29d1708c7b20894539252
`20b2aff4bc15bda809f994761d5719827d66c0b4`	affected	< 70abd9d118da2f56beb4ec22e3a29becae373535
`20b2aff4bc15bda809f994761d5719827d66c0b4`	affected	< 63276547debc4d8a73eefb2c5273b2a905c961b0
`20b2aff4bc15bda809f994761d5719827d66c0b4`	affected	< 4f6c99dc0420f1a3d671c1b8ab8a7ac84d9cba09
`20b2aff4bc15bda809f994761d5719827d66c0b4`	affected	< b0db1accbc7395657c2b79db59fa9fae0d6656f3
`e982070f8970bb62e69ed7c9cafff886ed200349`	affected	—
`5.15.37`	affected	< 5.15.203
`5.16.11`	affected	< 5.17

Linux

affected

Version	Status	Constraints
`5.17`	affected	—
`0`	unaffected	< 5.17
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[b453361384c2db1c703dacb806d5fd36aec4ceca,10bc4a4dcded509c5d5c67d497900c3922c604cd)`	affected	code_commit	—
`[20b2aff4bc15bda809f994761d5719827d66c0b4,21a10c06ffae24cb01fd174a7ab7736001d2ea56)`	affected	code_commit	—
`[20b2aff4bc15bda809f994761d5719827d66c0b4,8755066f7bd0f4ac46a29d1708c7b20894539252)`	affected	code_commit	—
`[20b2aff4bc15bda809f994761d5719827d66c0b4,70abd9d118da2f56beb4ec22e3a29becae373535)`	affected	code_commit	—
`[20b2aff4bc15bda809f994761d5719827d66c0b4,63276547debc4d8a73eefb2c5273b2a905c961b0)`	affected	code_commit	—
`[20b2aff4bc15bda809f994761d5719827d66c0b4,4f6c99dc0420f1a3d671c1b8ab8a7ac84d9cba09)`	affected	code_commit	—
`[20b2aff4bc15bda809f994761d5719827d66c0b4,b0db1accbc7395657c2b79db59fa9fae0d6656f3)`	affected	code_commit	—
`e982070f8970bb62e69ed7c9cafff886ed200349`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.17`	affected	generic	—
`[0,5.17)`	unaffected	generic	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.134,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that includes the null guard for PTR_TO_BUF pointers.
If an immediate kernel upgrade is not possible, temporarily disable BPF functionality that relies on the vulnerable context, or restrict it to trusted users only.
Monitor system logs for unexpected kernel panics and verify that no BPF programs are triggering the null dereference path.

Generated by OpenCVE AI on May 15, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2026/CVE-2026-43333.mbox
https://git.kernel.org/stable/c/10bc4a4dcded509c5d5c67d497900c3922c604cd
https://git.kernel.org/stable/c/21a10c06ffae24cb01fd174a7ab7736001d2ea56
https://git.kernel.org/stable/c/4f6c99dc0420f1a3d671c1b8ab8a7ac84d9cba09
https://git.kernel.org/stable/c/63276547debc4d8a73eefb2c5273b2a905c961b0
https://git.kernel.org/stable/c/70abd9d118da2f56beb4ec22e3a29becae373535
https://git.kernel.org/stable/c/8755066f7bd0f4ac46a29d1708c7b20894539252
https://git.kernel.org/stable/c/b0db1accbc7395657c2b79db59fa9fae0d6656f3
https://nvd.nist.gov/vuln/detail/CVE-2026-43333
https://www.cve.org/CVERecord?id=CVE-2026-43333

History

Sat, 16 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2026/CVE-2026-43333.mbox https://nvd.nist.gov/vuln/detail/CVE-2026-43333 https://www.cve.org/CVERecord?id=CVE-2026-43333
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 15 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 08 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Fri, 08 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: reject direct access to nullable PTR_TO_BUF pointers check_mem_access() matches PTR_TO_BUF via base_type() which strips PTR_MAYBE_NULL, allowing direct dereference without a null check. Map iterator ctx->key and ctx->value are PTR_TO_BUF \| PTR_MAYBE_NULL. On stop callbacks these are NULL, causing a kernel NULL dereference. Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the existing PTR_TO_BTF_ID pattern.
Title		bpf: reject direct access to nullable PTR_TO_BUF pointers
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/10bc4a4dcded509c5d5c67d497900c3922c604cd https://git.kernel.org/stable/c/21a10c06ffae24cb01fd174a7ab7736001d2ea56 https://git.kernel.org/stable/c/4f6c99dc0420f1a3d671c1b8ab8a7ac84d9cba09 https://git.kernel.org/stable/c/63276547debc4d8a73eefb2c5273b2a905c961b0 https://git.kernel.org/stable/c/70abd9d118da2f56beb4ec22e3a29becae373535 https://git.kernel.org/stable/c/8755066f7bd0f4ac46a29d1708c7b20894539252 https://git.kernel.org/stable/c/b0db1accbc7395657c2b79db59fa9fae0d6656f3

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:31:20.107Z

Updated: 2026-05-23T16:06:46.060Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43333

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-08T14:16:43.003

Modified: 2026-05-15T20:07:34.453

Link: CVE-2026-43333

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43333 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-15T23:00:14Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object