Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: reject direct access to nullable PTR_TO_BUF pointers

check_mem_access() matches PTR_TO_BUF via base_type() which strips
PTR_MAYBE_NULL, allowing direct dereference without a null check.

Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL.
On stop callbacks these are NULL, causing a kernel NULL dereference.

Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the
existing PTR_TO_BTF_ID pattern.
Published: 2026-05-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, a null pointer dereference can occur in the BPF subsystem. The check for memory access matches a pointer type that incorrectly allows direct dereference when the pointer can be NULL. When BPF programs reach an end‑of‑context callback, the map iterator pointers may be NULL, causing a kernel NULL dereference and a system crash. This vulnerability is a classic null pointer dereference (CWE‑476) and results in a denial of service for processes that rely on the kernel’s stability.

Affected Systems

Affected releases are Linux kernel versions before the patch that added a guard against null pointers when dereferencing PTR_TO_BUF pointers. The exact affected version range is not specified, but any kernel sequence lacking that fix is vulnerable.

Risk and Exploitability

The CVSS and EPSS scores are not available; the vulnerability is not listed in the CISA KEV catalog. The risk is significant because the flaw occurs in privileged kernel code, and a successful exploit would crash the system. Exploitation would require the ability to load or execute BPF programs that reach the faulty cleanup path, which may be achievable by a local privileged user or potentially remotely if another weakness permits BPF program injection.

Generated by OpenCVE AI on May 8, 2026 at 18:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the null guard for PTR_TO_BUF pointers.
  • If an immediate kernel upgrade is not possible, temporarily disable BPF functionality that relies on the vulnerable context, or restrict it to trusted users only.
  • Monitor system logs for unexpected kernel panics and verify that no BPF programs are triggering the null dereference path.

Generated by OpenCVE AI on May 8, 2026 at 18:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: reject direct access to nullable PTR_TO_BUF pointers check_mem_access() matches PTR_TO_BUF via base_type() which strips PTR_MAYBE_NULL, allowing direct dereference without a null check. Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL. On stop callbacks these are NULL, causing a kernel NULL dereference. Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the existing PTR_TO_BTF_ID pattern.
Title bpf: reject direct access to nullable PTR_TO_BUF pointers
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T13:31:20.107Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43333

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T14:16:43.003

Modified: 2026-05-08T14:16:43.003

Link: CVE-2026-43333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:30:05Z

Weaknesses